[wpkg-users] security issues

Marco Gaiarin gaio at sv.lnf.it
Tue Jun 5 09:57:40 CEST 2007 

Mandi! Brian May
  In chel di` si favelave...

> I don't think it is possible, short of getting a Windows 2003 server
> box and creating an active directory based domain.

EG, for example people using Samba. ;)

I've noted that some month ago, but not in a 'security' point ov view:
simply i manage a single set of 'recipes' (packages) that i deply to
some branch; all are configured in similar way, but clerly the profile
change between branch.

I've some portable that if moved from one branch to another simply
everytime uninstall some software and install some other one... ;)))
I've solved with an hack (a WSH wrapper script around wpkg.js).

The general question are: how the client can 'know' (and trust) their
server?

Some proposal:

1) [simple, dumb] Client and server agree on a 'server signature', and
 client accept package only on match
This is not optimal, because if someone get a client, hack it and get
the key, we are vastly compromised because someone can build another
server that act as the original one.

1b) if you use WPKGInstaller you can access to the WPKG server (share)
with a user and password, rather similar to 1)

2) [rather simple, less dumb] Client and server agree on a 'client
 signature', client accept package only on match
As 1), but with different signature per client. If a client is
compromised, nothing worst can happen.
On the coons, we have to manage signatures of clients server-side, and
in a secure manner.
Can be seen also as 'like 1b) but with different password per client'.

3) [complex, strong] use a PKI infrastructure where alla communication
(clearly, usefoul one) are 'signed' with public keys.

-- 
dott. Marco Gaiarin				    GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''                http://www.sv.lnf.it/
  Polo FVG  -  Via della Bontà, 7 - 33078  -  San Vito al Tagliamento (PN)
  marco.gaiarin(at)sv.lnf.it	  tel +39-0434-842711  fax +39-0434-842797


wpkg-users mailing list
wpkg-users at lists.wpkg.org
http://lists.wpkg.org/mailman/listinfo/wpkg-users

More information about the wpkg-users mailing list