On 07/06/2014 11:11 AM, Nico Kadel-Garcia wrote:
if you can MITM the content, nothing signed or otherwise is assured to be in any sate.
First note: in many environments, MITM is how things work normally. In others, the routers and proxies and DNS are *not* secured or easily re-implemented to be secure, for many, many different reasons. No matter how careful you are with git.centos.org itself, it's going to be vulnerable to trojaned intermediate repositories being substituted because no one at CentOS or Red Hat has enough control over the Internet to fix these.
You are repeatedly saying this, but failing to actually quantify it.
your gpg key is pretty much null routed once someone can MITM the content anyway, and i also assume you realise that a gpg sign is still with the same sort of code/key as an ssl connection is.
the bottom line is that unless you can get an authoritative manner of initial keyexchange, that you can absolutely trust, nothing else down the line is going to be any more secure than the initial handover. I'm happy to setup a keysign and keyexchange event at every dojo we run, but even that is likely to only reach a small fraction of the entire userbase.
So the only way to get the originating gpg key ( that you'd verify against ) is over ssl on the internet, which also implies that having git.centos.org behind the same leave lof trust puts us no worse off.
regards