i'm not really assuming that. i'm just saying that costs become non-linear once you scale things up and want to be able to keep doing what you're doing over time rather than just briefly. a "big brother" scenario seems a lot more likely to come from key escrow than 0day.
-
-
Replying to @qwertyoruiopz @rmhrisk and
Dunno, you could just use a 0day once to compromise the build server... that scales really well, and has really happened
2 replies 1 retweet 10 likes -
Replying to @taviso @qwertyoruiopz and
That presumes the code signing system is online and automated; bad design x2.
1 reply 0 retweets 0 likes -
Most code signing system compromises have been due to online keys. That’s why sensitive keys are kept offline.
1 reply 0 retweets 0 likes -
>sensitive keys kept in HSM >code signing HSM connected to internet
1 reply 0 retweets 1 like -
Replying to @saleemrash1d @taviso and
I’ve worked on several such systems for large companies; properly designed ones are either offline (manual) or at a minimum air-gapped; in all casss quorum of physical employees. Not online like let’s encrypt.
2 replies 0 retweets 0 likes -
Replying to @rmhrisk @saleemrash1d and
Ah-ha, I think you're saying you believe you can build a secure HSM infrastructure, but the necessities of a lawful access system (e.g. speed and scale of LE access requirements) would require you to make design compromises?
3 replies 0 retweets 1 like -
Replying to @taviso @saleemrash1d and
Absolutely. When designing key management procedures frequency of access is the single largest constraint to making an effective system.
1 reply 0 retweets 2 likes -
Replying to @rmhrisk @saleemrash1d and
Hmm, I think that's a pretty strong argument. However... it is slightly weakened by the fact that build servers are already built that way, and a compromise is *effectively* just as bad... what do you think?
1 reply 0 retweets 0 likes -
The way packaging and build servers are built today are using the insecure PKI infrastructure you're saying you would have to build to meet LE constraints. Compromising those is just as bad, and possible today, no?
-
-
Replying to @taviso @saleemrash1d and
I know intimately how the Microsoft system (and other large tech companies) manage production package and firmware signing keys and they are not online like you suggests.
0 replies 0 retweets 0 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.