UNS: Re: Trust system write-up
Garrett Wollman
wollman at bimajority.org
Tue Oct 24 00:26:47 UTC 2017
<<On Mon, 23 Oct 2017 20:00:53 -0400, Eric McCorkle <eric at metricspace.net> said:
> However, there is a definite advantage to having one signature for a
> huge number of MACs. Moreover, as I mention in the paper, the most
> feasible quantum-safe signature scheme at the present is SPHINCS, which
> has signatures about 40Kib in size. That's pretty terrible if you're
> signing each executable, but if you're signing 20-30k MACs at 16-32
> bytes per code plus a path, suddenly a 40Kib signature doesn't look so
> bad anymore. It would be pretty great to roll out a trust
> infrastructure AND viable quantum-safe signatures.
> I could also see a combined scheme, say, where ELF files carry a UUID
> which indexes into a MAC manifest.
Since packages are already distributed with signatures over the entire
package manifest, it would be nice if you could use the package system
to feed this.
-GAWollman
More information about the freebsd-security
mailing list