drbrain has quit [Remote host closed the connection]
<kseifried>
the reality is CA's matter less than "oh, this is the same cert the site had 10 months ago" (in other words if you see that, you're being mitm'ed long term and you're stuffed anyways)
<kseifried>
so convergence has some good properties there
drbrain has joined #rubygems-trust
<dstufft>
kseifried: What I like about convergence is really it flips the switch, instead of the relationship being Site <-> CA, it's User <-> Notary
<kseifried>
personally I think the whole authorization/authentication/name space side of SSL is stuffed beyond help
<kseifried>
for one simple reason
<kseifried>
CA's sell trust.
<kseifried>
so economically they have a motivation to f**k security up, and they do, constantly
<kseifried>
you can't fix that with technology :P
havenwood has quit [Remote host closed the connection]
havenwood has joined #rubygems-trust
<dstufft>
:)
<dstufft>
kseifried: Moxie's video talks about that, saying he contacted (one of?) the guy responsible for it and his basic comment about authentication was "well we just threw that in at the end"
<kseifried>
yah I know
<kseifried>
dstufft: I've written entirely to many articles on this :P it's sad
<kseifried>
netscape created it so simply pass CC's online safely
<dstufft>
kseifried: :)
<kseifried>
they had no intention of doing what it ended up doing :P
<kseifried>
much like poor old IPv4.
<kseifried>
whaddya mean you're gonna give every doorknob an IP?
<dstufft>
Sorry I don't know what all you've done other than a cursory google a week or so ago
<kseifried>
dstufft, : linux pro magazine, monthly oclumn for like... 5 years now?
<dstufft>
kseifried: nice :)
<kseifried>
basically I'm a tech writer/teacher at heart
<kseifried>
but they pat shit
<kseifried>
so security thing from this side is better, more new stuff to
havenwood has quit [Ping timeout: 260 seconds]
<dstufft>
ah
<dstufft>
I suck at writing :)
<dstufft>
I just shit out code until my hatred of the existing/lack of a solution subsides
drbrain has quit [Remote host closed the connection]
havenwood has joined #rubygems-trust
<kseifried>
hah
drbrain has joined #rubygems-trust
drbrain has quit [Read error: Connection reset by peer]
drbrain has joined #rubygems-trust
qmx is now known as qmx|away
havenwood has quit [Remote host closed the connection]
havenwood has joined #rubygems-trust
havenwood has quit [Ping timeout: 252 seconds]
nirix has quit [*.net *.split]
havenwood has joined #rubygems-trust
havenwood has quit [Remote host closed the connection]
nirix has joined #rubygems-trust
havenwood has joined #rubygems-trust
jstr has quit [Quit: Computer has gone to sleep.]
jstr has joined #rubygems-trust
ezkl has joined #rubygems-trust
ezkl has quit [Quit: out!]
nirix has quit [*.net *.split]
nirix_ has joined #rubygems-trust
nirix_ is now known as nirix
jstr has quit [Quit: Computer has gone to sleep.]
drbrain has quit [Ping timeout: 260 seconds]
havenwood has quit [Read error: Connection reset by peer]
workmad3 has joined #rubygems-trust
drbrain has joined #rubygems-trust
jstr has joined #rubygems-trust
workmad3 has quit [Read error: Operation timed out]
<raz>
and sadly very relevant to the ongoing discussion :)
geal has quit [Ping timeout: 255 seconds]
billdingo is now known as billdingo-afk
billdingo-afk is now known as billdingo
jstr has quit [Quit: Computer has gone to sleep.]
geal has joined #rubygems-trust
qmx|away is now known as qmx
billdingo is now known as billdingo-afk
billdingo-afk is now known as billdingo
bfleischer has joined #rubygems-trust
qmx is now known as qmx|lunch
conner has quit [Ping timeout: 272 seconds]
conner has joined #rubygems-trust
havenwood has joined #rubygems-trust
conner has quit [Read error: Operation timed out]
qmx|lunch is now known as qmx
conner has joined #rubygems-trust
havenwood has quit [Remote host closed the connection]
havenwood has joined #rubygems-trust
havenwood has quit [Ping timeout: 252 seconds]
<raggi>
tarcieri: nfi
geal has quit [Ping timeout: 256 seconds]
workmad3 has quit [Ping timeout: 260 seconds]
geal has joined #rubygems-trust
havenwood has joined #rubygems-trust
dachshund has joined #rubygems-trust
<dachshund>
hello rubygems-trust
<dachshund>
I hear Donald Stufft at the Python Catalog-SIG mailing list that you are interested in securing rubygems
<dachshund>
(sorry, I hear from Donald...)
<raggi>
hi
<dachshund>
I am Karthik from the TUF project, and we would like to help Ruby and Python folks to help secure their package managers
<dachshund>
TUF is a framework designed by computer scientists from NYU-Poly and the Tor project to help solve some of the more common problems with securing software updaters
<dstufft>
dachshund: hey there ;)
<dachshund>
dstufft: hello, good to meet you :)
<dachshund>
Here are some papers we wrote on the subject
<dachshund>
At the moment, we are working on polishing TUF and releasing it for testing
<dachshund>
We want to make it easy enough to use, such that very little change would need to happen for developers to secure their updaters
<raggi>
dachshund: oh, interesting, i have questions!!
<raggi>
:)
<raggi>
dachshund: so, i read through the 3 spec docs
<dachshund>
raggi: definitely let us know
<raggi>
the spec.txt mentions quorum based trust, early on
<raggi>
but later on, i don't really see any quorum discovery or notion, maybe i misunderstood something
<raggi>
i'm reading the implementation in detail today, to get to know the details
<dachshund>
raggi: yes, there are things that the paper does not address in full detail
<dachshund>
you should be able to find more information on our web site
<dachshund>
i just got involved with the TUF project, so let me get back to you on that question :)
<dachshund>
is there a mailing list where we could discuss these things together?
<raggi>
rubygems-developers
<raggi>
@rubyforge.org
<raggi>
er, let me check that, it might be lists.rubyforge.org
<dachshund>
ok
<raggi>
rubygems-developers@rubyforge.org
<dstufft>
oh I should probably join that one too :)
<dachshund>
that is a great idea
<raggi>
yeah, TUF looks close to what i'm looking for, i was glad to see that it covers some of the time aspect - i had concerns about that from a revocation model standpoint
<dachshund>
Given our working schedules, I think it would be good to carry on some of our discussions there too
<raggi>
at least, what the spec suggests is that it's pretty well aligned
<dachshund>
raggi: yes, TUF has thought these things through, and we are now eager to test these ideas
<raggi>
my only larger concern right now, which is where the test implementaiton will help, is how well it will scale for our kind of use case
<dachshund>
raggi: understood
<raggi>
it's quite metadata heavy right now, is my main concern
<raggi>
but we'll see, it might be fine :)
<dachshund>
here is what i will do
<dachshund>
we will subscribe to the mailing list
<dachshund>
and we will start a discussion there
<dachshund>
does that work for you?
<raggi>
that's great :-)
<dachshund>
fantastic
<dachshund>
dstufft: thank you very much for the introduction, and we look forward to working with the Ruby community
* theartisan
smells progress being made
<dstufft>
dachshund: :)
<havenwood>
dachshund: Might be interested to weigh in on draft Rubygems Trust Model document? http://goo.gl/ybFIO
<dachshund>
havenwood: thanks for the link, and we will certainly review it
<dstufft>
fwiw here's my message to catalog-sig (PYthon mailing list to discuss PyPI) and the resulting convo http://mail.python.org/pipermail/catalog-sig/2013-February/005099.html plus I personally emailed Justin Cappos (who I believe was the professor? Whose students did the bulk of the work on TUF)
<dachshund>
that's right
<dachshund>
I apologize that we are quite busy with a few deadlines now, but we are doing our best to keep with up with the Ruby and Python community
<dachshund>
ok, so it was good meeting all of you today, and we will carry our discussion forward on the mailing list :)
<dachshund>
please feel free to contact us at jcappos@poly.edu and tk47@students.poly.edu
<raggi>
thanks dachshund :)
<raggi>
dstufft: so, it looks like giovanni is basically doing the pypi work and owning the process?
<dstufft>
raggi: eh, he's trying. THought he's sort of doing his own thing and just kinda rushing off half cocked
dachshund has quit [Quit: Leaving]
<dstufft>
I think most of the sane people are wanting to slow down a bit and make sure we understnad what we are trying to solve before we just start slinging code around
<raggi>
well, the opinion that it's worth hitting low hanging fruit is not invalid at all, but i know what you mean
<raggi>
it depends a bit how low your fruit hangs
<raggi>
having just been through an incident, ours is pretty well mapped right now
<dstufft>
Yea, he pushed a PR last night for PyPI to switch us from unsalted SHA1 to bcrypt, though I reimplemted it using some higher level more standard things
<raggi>
for what, the server side?
<dstufft>
yea
<dstufft>
PyPI itself is kinda of a horrible mess
<raggi>
sure, seems pretty meh tbh
<raggi>
i mean, for sure, use a password algo, not a salted hash, but yeah
<raggi>
pbkdf would be fine too
<dstufft>
yea, passlib (the library) supports pbkdf too
<raggi>
dstufft: i think we all are :)
<raggi>
right, i think it relaly depends what libs you have to hand, or what audits you need to pass
<raggi>
if you're going to be dealing wiht a bank or something, you're going to want to chose pbkdf so you can conform to their shitty "use 3des" or "use sha" statements
<dstufft>
ya
* raggi
seriously had a bank ask him to move from bcrypt to salted 3des once
<raggi>
not that long ago either.
<dstufft>
I mostly picked bcrypt in my example (although it's setup so you configure passlib via an ini file, so you can have many options and have it auto upgrade on login etc) because it's a C library compared to pure python and that's about it
<dstufft>
Oh, also because there was a general agreement on bcrypt and I didn't feel like bikeshedding an algo :V
* theartisan
knows of companies dealing with banks that use unsalted md5's for passwords… -_-
<theartisan>
and somehow managed to pass all the audits...
havenwood has quit [Remote host closed the connection]
<dstufft>
theartisan: $$$$$
<theartisan>
dstufft: i always found it amusing that i could not connect my personal laptop to the network due to the audit criteria but there was nothing to stop me hitting the password db with a rainbow table from a work machine...
<jstr>
dstufft: + politics
geal has joined #rubygems-trust
jstr has quit [Ping timeout: 252 seconds]
geal has quit [Ping timeout: 256 seconds]
jstr has joined #rubygems-trust
jstr has quit [Read error: Connection reset by peer]
workmad3 has joined #rubygems-trust
jstr has joined #rubygems-trust
workmad3 has quit [Ping timeout: 252 seconds]
workmad3 has joined #rubygems-trust
drbrain_ has joined #rubygems-trust
drbrain has quit [Disconnected by services]
drbrain_ is now known as drbrain
geal has joined #rubygems-trust
workmad3 has quit [Ping timeout: 248 seconds]
geal has quit [Ping timeout: 252 seconds]
workmad3 has joined #rubygems-trust
qmx is now known as qmx|away
workmad3 has quit [Read error: Operation timed out]