Re: spatial stuff detail

[Mike Hearn <mike theoretic com>]

On Tue, 2003-09-23 at 22:55, George wrote:
> That's because the UI for these things is complete and utter crap.  GPG is
> really an aftertought in the way it works.  You talk of a *good* and *easy*
> UI for the installation process, why not have a *good* and *easy* UI for
> signatures and security.

If I was feeling inspired, maybe I'd make one. Unfortunately no matter
how simple you make the UI, digital signatures are not a zero effort
thing. You have to import the public key for starters. That's only one
command for people who want to check my emails, but it's still something
you've got to do, and *know* that you want to do it.

> Just because nobody still hasn't done it right doesn't mean that we should
> continue to do it crappily because 'that's the way it works'.

There are tradeoffs, like most things. The web browser security UI is
good (ie it's non-existant by default), but the tradeoff is that it's
easier to spoof (because very few people actually check the writing on
the certificate and they are so easy to get hold of).

> Thinking more about it, it is possible.  Suppose you get a package signed by
> redhet.com rather then redhat.com.  Well obviously to the installer this is a
> new domain name for the installer.  

How do you determine that something was signed by a domain? This isn't
SSL, we don't want to centralise trust around VeriSign or link it to DNS
(not everybody even owns a domain name), or require people to import
certificates first. All we can know is that "here is a signature, here
is a public key, do the math and does the answer match?". 

We have to get both pieces of data from somewhere, both external to the
package itself, and there's no way for us or the user to know that a key
is "genuine" other than if it in turn has been signed. Then we get into
the web of trust, keysigning parties and so on, but this adds a *lot* of
overhead.

> Yes there can.  Think very nefarious dialogs that pop up when you try to do
> it.

Or you can take the Outlook latest-patch route which simply stops you
saving executable attachments all together.

>   The email client should be very careful here about warning the users.
> A nice signed package from someone we trust should pass without any dialog
> here then (if security is done right).  You should just be able to click
> on it or dnd it or whatnot.

Everybody has to sign attachments now? But you said yourself, this is a
lot of effort, even with the best UI in the world....

> 
> If W32/Swen looks authentic then it would loose all authenticity if a dialog
> came up that told you that "no this package was not distributed by
> microsoft.com, but in fact by micros0ft.com".  

More likely no dialog would come up at all, because nobody non-geek ever
signs their emails, so that's what they'd expect. And again, you can't
tie them to domain names without certificate authorities, which are
notoriously hard to get right (think Verisign)

> > Ah, well exactly. I signed this mail to make you happy ;) but where do
> > you get my public key? [1] How do you import it? [2] If even us coders
> > don't bother, how many users will [3]?
> 
> That's because GPG sucks donkey balls in terms of user experience as do most
> security packages currently.  One appears to need a degree in cryptography to
> understand even the description of some packages.

Oh, well, it's not that hard. I was kind of surprised really:

$ gpg --gen-key
(give it the data it wants)
(upload the public key somewhere....)
(somebody else imports it)
$ gpg --verify (to check something that's been digitally signed)

Still too complex of course. And you have to grok the concept of signing
stuff in the first place, which is really abstract and most people don't
care enough about it to want to know.

> But if it's easy to install packages, someone will start distributing virii
> as such.  I'm not saying we're well prepared for the 'random binary'
> execution scenario either.

Remember that we've been using source tarballs for years, which are
scarily easy to trojan (think 100,000 line configure scripts). It's only
happened a few times, as far as I know, and in both cases I can think of
the FTP server hosting it was cracked (which means you can fiddle the
keyfiles/signatures etc)

> ANSWERS for me:
> [1] nowhere
> [2] nowhere
> 
> (But I do have a GPG key and will sign this mail, but obviously you don't
> know that it's been signed by me so ...)

.... so it's worthless. This stuff is much harder than it first appears,
which is why we're making it optional for now. The cost/benefit analysis
doesn't really look that great :(