[SSL Observatory] Observatory source code available via git

Daniel Kahn Gillmor dkg at fifthhorseman.net
Fri May 13 11:00:28 PDT 2011 

On 05/13/2011 12:52 PM, Chris Palmer wrote:
> On May 13, 2011, at 11:35 AM, Daniel Kahn Gillmor wrote:
> 
>> As long as you are pulling (and properly verifying) signed tags, the
>> git://  scheme provides entirely reasonable integrity protection.
> 
> As far as I know, we don't sign any tags.

Peter eckersley does sign tags [0], using the following key:

pub   1024D/757465BC 2000-12-17
    Key fingerprint = 30BF 6A78 2013 DCFA 5985  E255 9D31 4A9A 7574 65BC
uid            Peter Eckersley <pde at eff.org>
uid            Peter Eckersley <pde at cs.mu.oz.au>
sub   1024g/460521C4 2000-12-17

Thanks, pde!  (any time you want to transition to a modern key >= 2048
bits, that'd be great -- i can guide you through the key transition
process if you're interested)

> Is there a security analysis of Git anywhere?

some interesting discussion around possible attacks against git's
integrity guarantees happened two years ago, based on the fact that git
relies heavily on the collision resistance of SHA-1:

 http://kitenet.net/~joey/blog/entry/sha-1/

As attacks against SHA-1's collision resistance increase, this sort of
concern will become increasingly relevant, alas :(  Even if git's
underlying internals are up for swapping out SHA1 for a stronger digest
algorithm, the installed base of SHA1-driven git repositories is a
social nightmare to untangle.

Note that the integrity guarantees of a TLS session are usually *weaker*
than SHA-1, though they happen roughly synchronously, so they're harder
to attack.  OTOH, you also can't redistribute the assurances they give
you to your neighbor, so they're less useful.

Ah, algorithm agility, where are you when we need you :P

	--dkg


[0] from your git repo, do: "git tag -v $(git tag -l)"

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL: <http://lists.eff.org/pipermail/observatory/attachments/20110513/e7d508d7/attachment.sig>

More information about the Observatory mailing list