Re: fingerprint of the archive signing key

To: debian developers <debian-devel@lists.debian.org>
Subject: Re: fingerprint of the archive signing key
From: Bernd Eckenfels <lists@lina.inka.de>
Date: Wed, 30 Jun 2004 02:29:52 +0200
Message-id: <[🔎] 20040630002952.GA2528@lina.inka.de>
In-reply-to: <[🔎] 1088554798.3081.30.camel@zen8100a.freedbms.net>
References: <[🔎] 20040629003951.GA14964@cirrus.madduck.net> <[🔎] 20040629005028.GA22050@suffields.me.uk> <[🔎] 20040629013230.GB14609@cirrus.madduck.net> <[🔎] 20040629115722.GA24190@suffields.me.uk> <[🔎] 87pt7izfnc.fsf@alhambra.bioz.unibas.ch> <[🔎] 20040629172848.GA19987@suffields.me.uk> <[🔎] 20040629173407.GD22096@riva.ucam.org> <[🔎] 20040629214219.GA2631@suffields.me.uk> <[🔎] 20040629233537.GA25370@riva.ucam.org> <[🔎] 1088554798.3081.30.camel@zen8100a.freedbms.net>

On Wed, Jun 30, 2004 at 10:19:58AM +1000, Zenaan Harkness wrote:
> Isn't it possible to have the "certificate signing facility" on a
> network-disconnected box, to thereby require at minimum physical
> access to the box to compromize a (master) certificate?

No matter how you s store it, it is used to sign, so you can use it for it.
CA root keys are normally protected from reading, but of course not from
authorized usage. The RA is normally the point where you attack the PKI most
easyly (remeber the MS/Verisign joke).

Bernd
-- 
  (OO)      -- Bernd_Eckenfels@Mörscher_Strasse_8.76185Karlsruhe.de --
 ( .. )      ecki@{inka.de,linux.de,debian.org}  http://www.eckes.org/
  o--o     1024D/E383CD7E  eckes@IRCNet  v:+497211603874  f:+497211606754
(O____O)  When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!

Reply to:

Follow-Ups:
- Re: fingerprint of the archive signing key
  - From: Zenaan Harkness <zen@freedbms.net>

References:
- fingerprint of the archive signing key
  - From: martin f krafft <madduck@debian.org>
- Re: fingerprint of the archive signing key
  - From: Andrew Suffield <asuffield@debian.org>
- Re: fingerprint of the archive signing key
  - From: martin f krafft <madduck@debian.org>
- Re: fingerprint of the archive signing key
  - From: Andrew Suffield <asuffield@debian.org>
- Re: fingerprint of the archive signing key
  - From: Frank Küster <frank@debian.org>
- Re: fingerprint of the archive signing key
  - From: Andrew Suffield <asuffield@debian.org>
- Re: fingerprint of the archive signing key
  - From: Colin Watson <cjwatson@debian.org>
- Re: fingerprint of the archive signing key
  - From: Andrew Suffield <asuffield@debian.org>
- Re: fingerprint of the archive signing key
  - From: Colin Watson <cjwatson@debian.org>
- Re: fingerprint of the archive signing key
  - From: Zenaan Harkness <zen@freedbms.net>

Prev by Date: Re: fingerprint of the archive signing key
Next by Date: Re: fingerprint of the archive signing key
Previous by thread: Re: fingerprint of the archive signing key
Next by thread: Re: fingerprint of the archive signing key
Index(es):
- Date
- Thread