Dsse Alternatives

dsse reviews and mentions

• NPM Provenance Public Beta
  5 projects | news.ycombinator.com | 19 Apr 2023
• What do you think about DSSE: Dead Simple Signing Envelope format?
  1 project | /r/crypto | 15 Apr 2023
• Ditching OpenPGP, a new approach to signing APT repositories
  1 project | news.ycombinator.com | 21 Jun 2021

  I took a look at the design and think there are a few issues with the format as proposed.

  # The public key is stored with the signature.

  This should be stored separately. A public key found here is too tempting to use, rendering the signature worthless. Authenticating it would be OK, but low value. This is unauthenticated. A "key ID" should be used instead if the intention is to support lookups among multiple keys.

  # The algorithm is stored with the signature.

  This is slightly less bad than above, but still bad. Attacker-controlled algorithms have been used repeatedly in "downgrade" attacks. Agility is bad, but if you must support multiple algorithms, store this with the public key (somewhere else). Some info here: https://github.com/secure-systems-lab/dsse/issues/35

  I didn't look at the sub-key protocol in detail. The ephemeral key for every release is an interesting choice. The root key is "offline". But if it must be brought online to sign a new ephemeral key for every release anyway, you might as well just use it to sign the release itself.

  Using minisign/signify like OpenBSD does and keeping things very simple makes sense to me. The complexity designed into this system (sub-keys, multiple algorithms and signatures) starts to stretch the bounds to where TUF (https://theupdateframework.io/) might make sense. TUF is very complex and not worth it for most projects, but Debian is exactly what TUF is designed for.

• A note from our sponsor - InfluxDB
  www.influxdata.com | 5 May 2024

  Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality. Learn more →