|
| From: | Daniel Carrera |
| Subject: | Re: [Monotone-devel] Monotone Security |
| Date: | Thu, 16 Oct 2008 19:02:48 +0200 |
| User-agent: | Thunderbird 2.0.0.17 (Macintosh/20080914) |
Jack Lloyd wrote:
That could easily happen due to a time change, though:
Yeah, and a malicious attacker could make the bad revisions children of a very old revision. So checking that dates are sequential is useless.
Monotone already has a way to deal with the DOS attack that Peter found (10 million encumbered revisions) but it requires a custom script. Maybe it'd be easier to just ship Monotone with a Lua script that removes the bad key. It's not used by default, but if/when Peter's DOS attack happens, the developers can run the script:
function recovery_from_compromised_keys(key) {
foreach (head) {
if (head is signed with bad key) {
1. find the first ancestor revision of that head
that is signed by a good key.
2. delete every descendant of that revision.
}
}
}
Daniel.
| [Prev in Thread] | Current Thread | [Next in Thread] |