Re: Archive database (projectb) queries for the public
On Sat, Nov 16, 2013 at 11:36:20AM +0000, Ian Jackson wrote:
> Part II:
> --------
>
> We should provide integrity (important) and confidentiality (less so)
> for these publicly-available projectb queries.
>
> The obvious answer is to do the queries over https.
>
> We should use a dedicated CA to sign the server's TLS key. The CA's
> public key would be included in some Debian package, ideally
> debian-keyring. Using a dedicated CA avoids relying on the public
> X.509 infrastructure which is both inconvenient and insecure.
>
> Key rollover will happen as follows: generate a new server TLS private
> key and a new CA. Publish the new CA public key along with the old
> one in debian-keyring. Wait for the new debian-keyring package to be
> used "everywhere", and then change which CA certificate is offered by
> the webserver. This odd scheme is needed because although a TLS
> server can't offer multiple certificates, a TLS client can be
> configured to trust multiple root CAs.
>
> We should use a cipher suite which provides perfect forward secrecy,
> because there is no reason not to.
>
> CCing keyring-maint about this so they can comment.
I don't think debian-keyring is the correct package for this. I think of
the existing packages debian-archive-keyring is probably more
appropriate. debian-keyring is a 50M monster that most people probably
don't have installed. It's maintained by keyring-maint (not DSA, as one
of your later mails seems to imply). debian-archive-keyring is a much
smaller package containing the archive keys and while not a perfect
match for a Debian server key is probably the best approach.
(I personally think that ca-certificates is the best place if we're
looking at an X.509 certificate - I accept the point about the
maintainer being unrelated, but that's also true for debian-keyring and
debian-archive-keyring.)
J.
--
] http://www.earth.li/~noodles/ [] "For the effect of psychedelics on [
] PGP/GPG Key @ the.earth.li [] the development community, well, [
] via keyserver, web or email. [] there's Enlightenment, isn't [
] RSA: 4096/2DA8B985 [] there?" -- Adam J. Thornton, asr. [
Reply to: