Re: APT public key updates?

To: debian-devel@lists.debian.org
Subject: Re: APT public key updates?
From: Thomas Bushnell BSG <tb@becket.net>
Date: Thu, 05 Jan 2006 23:04:32 -0800
Message-id: <[🔎] 87d5j5et1b.fsf@becket.becket.net>
In-reply-to: <[🔎] 20060106033119.GA30916@hoiho.nz.lemon-computing.com> (Nick Phillips's message of "Fri, 6 Jan 2006 16:31:19 +1300")
References: <[🔎] 2fl64oz1tpi.fsf@saruman.uio.no> <[🔎] 1136416078.4526.1.camel@localhost> <[🔎] 20060105200205.GB20228@kitenet.net> <[🔎] 20060105221306.GA8597@top.ping.de> <[🔎] 2flr77mp5lx.fsf@saruman.uio.no> <[🔎] 20060106003106.GD24652@tennyson.dodds.net> <[🔎] 877j9ep4ny.fsf@becket.becket.net> <[🔎] 20060106033119.GA30916@hoiho.nz.lemon-computing.com>

Nick Phillips <nwp@nz.lemon-computing.com> writes:

> On Thu, Jan 05, 2006 at 04:43:13PM -0800, Thomas Bushnell BSG wrote:
>
>> If the key is compromised, which is the only way the non-expiring key
>> method can be broken, then the expiring key doesn't seem to be
>> offering all that much additional security.  
>
> If the 2006 key takes (say) 15 months to compromise, then it is fine
> to use it to sign and verify the new key on 1/1/2007, so long as you
> perform that verification before March...

So we are worried about compromise by direct attack, rather than
compromise by misplaced or stolen equipment/etc?

It seems to me that this kind of computation depends intrinsically on
how long it takes to compromise.  If it takes eleven months, then
we're currently screwed.  It seems unlikely to me that this kind of
analysis has taken place, which makes it unlikely that this is
actually the explanation for our current practice.

Thomas

Reply to:

Follow-Ups:
- Re: APT public key updates?
  - From: Anthony Towns <aj@azure.humbug.org.au>
- Re: APT public key updates?
  - From: be-news06@lina.inka.de (Bernd Eckenfels)

References:
- APT public key updates?
  - From: Petter Reinholdtsen <pere@hungry.com>
- Re: APT public key updates?
  - From: Daniel Leidert <daniel.leidert.spam@gmx.net>
- Re: APT public key updates?
  - From: Joey Hess <joeyh@debian.org>
- Re: APT public key updates?
  - From: Michael Vogt <mvo@debian.org>
- Re: APT public key updates?
  - From: Petter Reinholdtsen <pere@hungry.com>
- Re: APT public key updates?
  - From: Steve Langasek <vorlon@debian.org>
- Re: APT public key updates?
  - From: Thomas Bushnell BSG <tb@becket.net>
- Re: APT public key updates?
  - From: Nick Phillips <nwp@nz.lemon-computing.com>

Prev by Date: Re: APT public key updates?
Next by Date: Re: APT public key updates?
Previous by thread: Re: APT public key updates?
Next by thread: Re: APT public key updates?
Index(es):
- Date
- Thread