[vlc-devel] OpenPGP verification of updates

Gilles Sabourin gilles.sabourin at free.fr
Mon Nov 26 09:11:16 CET 2007 

Hi Raphaël,


I am working in the ISS domain. When you generate a new asymetric key, you got 
2 parts : the public part (called itself the public key by abuse) and the 
private part (called itself the private key).

The public key is, as its name suggests it, is public (and MUST be known) for 
everyone in the world. In general, you put it on some key servers.

With the fingerprint of your public key, I am able to import the public key 
with OpenPGP, and use it as a proof that your applications, your mails, all 
your stuff is coming from you, as you will SIGN everything, and send to me 
your stuff with your signature.

By definition, we can't have any compromission of the public key, because it 
is well known by everything and used only to sign your stuff. What would be 
the challenge ?

Of course, the password used to sign with your public key is only known by 
you!

Greetings,
Gilles Sabourin

Le Monday 26 November 2007 02:46:01 Rafaël Carré, vous avez écrit :
> Hello,
>
> I've started some work for using OpenPGP through libgcrypt to verify
> the downloads when doing an update from VLC (to re-enable that code
> before 0.8.6d release).
>
> It requires embedding the public key used to sign the files in VLC.
>
> However I noticed that a new key is generated every year, so that means
> updates would be supported only if the version to be downloaded was
> signed with the same key that is embedded in the version ran by the
> user.
>
> What is the point doing a new key every year ? NSA needs more than one
> year to crack a key ?

But your public key is ... public ! This would have only to be taken into 
account whenever you want to use the private key to crypt some secret stuff!
A secret key can be compromised, if it is stored on a support not put in a 
safe place. And it is safer to limit the validity of a secret as it can 
be "cracked". But, I think that we are not very interesting people for 
NSA ...

>
>
> I see 2 solutions:
> 	* release at least every year, and embed the new key in the
> update xml file (since the new key is signed by the previous one). That
> is overkill.
> 	* sign the releases with the old key (then there is no point
> not keeping always the same key)
>
>
> Please help.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part.
URL: <http://mailman.videolan.org/pipermail/vlc-devel/attachments/20071126/c8e891a7/attachment.sig>

More information about the vlc-devel mailing list