
, 2002-08-07
The OpenSSH backdoor demonstrates that the community must get pragmatic about package verification, and fast.
This is, in a very substantial way, the end of the Cypherpunk dream of security through mathematics.
This doesn't mean "selling out," we can retain at least some of our youthful optimism. But we need to find a set of principles upon which we can base our relationships with others -- common ground that we share with the big bad world outside.
The debate over the withdrawn full-disclosure draft and HP's DMCA threats are an obvious case where we need mature, reasonable community standards. Without general agreement on a framework for disclosure, we will continue to be treated like adolescents who refuse to grow up and take responsibility for ourselves.
But the clearest example of the need for a little more maturity is in identity certification.
The recently-discovered
Practically Imperfect
It is important to note that the OpenBSD team does not bear direct responsibility for the attack: the primary server is at the University of Alberta, and runs SunOS. The storage space and bandwidth required to serve such popular software is not trivial, and until OpenBSD has
Likewise, the Portable OpenSSH team did everything right. The public key for the distribution is available, as are detached signatures for the packages.
But who checks PGP signatures?
While Pretty Good Privacy and the GNU Privacy Guard provide a framework for strong cryptography, they don't provide a simple way to validate the source of software. The OpenSSH Trojan would have been thwarted by a package verification system simple enough for users to rely on, rather than simply ignore -- even if it provides less than the mathematically perfect proof of identity of PGP.
X.509 certificates meet this need.
In my opinion, X.509 is a lousy standard. I'm opposed in principle to hierarchical identity assurance -- it does not prove identity effectively, and it is subject to abuse by those at the top of the pyramid. PGP's web of trust and
Self-signed X.509 certificates can be used to provide a lower level of assurance in a way that is still simple enough for the average user to manage, and that is what's needed here.
Had we not pursued a mathematically perfect solution at the beginning, we might have ended up with software that people would actually use to verify the integrity of their software. The best proved itself to be the enemy of the good. In fact, it was the simple, convenient solution that caught the OpenSSH Trojan: FreeBSD's
The Cypherpunk Paradox
This is, in a very substantial way, the end of the
It's been a long time coming. Why does FreeBSD's "ports" system checks MD5 checksums instead of PGP signatures? One answer is the desire to keep as few tools as possible in the base operating system. To add GNU Privacy Guard or another signature-checking tool to the base operating system will always be controversial to software purists who want to keep Unix just like it was when they first logged onto a PDP/11 in 1979.
Another answer is that cypherpunk sentiment against a hierarchical X.509-style public-key infrastructure has left us without a meaningful way to validate public keys as belonging to a particular individual or group.
The open-source community is showing signs of growing up in this regard: current development releases of the
That's a good start. The fact is, we need a universal standard for identity certificates and cryptographic signatures, wherein ease of use and understanding is as important as the technical assurance, and which can be applied to software verification as easily as MD5 checksums are today. A perfect but complicated standard like PGP is of less use than a partial solution which people actually use. Until we accept this, can we expect Dad to trust us with the keys to the car?