Re: Archive database (projectb) queries for the public

To: Ian Jackson <ijackson@chiark.greenend.org.uk>
Cc: debian-dak@lists.debian.org, Debian Keyring Maintainers <keyring-maint@debian.org>
Subject: Re: Archive database (projectb) queries for the public
From: Jonathan McDowell <noodles@earth.li>
Date: Mon, 18 Nov 2013 15:08:26 -0800
Message-id: <[🔎] 20131118230826.GK18074@earth.li>
In-reply-to: <[🔎] 21127.22708.142453.920100@chiark.greenend.org.uk>
References: <[🔎] 21127.22708.142453.920100@chiark.greenend.org.uk>

On Sat, Nov 16, 2013 at 11:36:20AM +0000, Ian Jackson wrote:

> Part II:
> --------
> 
> We should provide integrity (important) and confidentiality (less so)
> for these publicly-available projectb queries.
> 
> The obvious answer is to do the queries over https.
> 
> We should use a dedicated CA to sign the server's TLS key.  The CA's
> public key would be included in some Debian package, ideally
> debian-keyring.  Using a dedicated CA avoids relying on the public
> X.509 infrastructure which is both inconvenient and insecure.
> 
> Key rollover will happen as follows: generate a new server TLS private
> key and a new CA.  Publish the new CA public key along with the old
> one in debian-keyring.  Wait for the new debian-keyring package to be
> used "everywhere", and then change which CA certificate is offered by
> the webserver.  This odd scheme is needed because although a TLS
> server can't offer multiple certificates, a TLS client can be
> configured to trust multiple root CAs.
> 
> We should use a cipher suite which provides perfect forward secrecy,
> because there is no reason not to.
> 
> CCing keyring-maint about this so they can comment.

I don't think debian-keyring is the correct package for this. I think of
the existing packages debian-archive-keyring is probably more
appropriate. debian-keyring is a 50M monster that most people probably
don't have installed. It's maintained by keyring-maint (not DSA, as one
of your later mails seems to imply). debian-archive-keyring is a much
smaller package containing the archive keys and while not a perfect
match for a Debian server key is probably the best approach.

(I personally think that ca-certificates is the best place if we're
looking at an X.509 certificate - I accept the point about the
maintainer being unrelated, but that's also true for debian-keyring and
debian-archive-keyring.)

J.

-- 
] http://www.earth.li/~noodles/ [] "For the effect of psychedelics on  [
]  PGP/GPG Key @ the.earth.li   []  the development community, well,   [
] via keyserver, web or email.  []    there's Enlightenment, isn't     [
] RSA: 4096/2DA8B985            []  there?" -- Adam J. Thornton, asr.  [

Reply to:

Follow-Ups:
- Re: Archive database (projectb) queries for the public
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>

References:
- Archive database (projectb) queries for the public
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>

Prev by Date: Crypto (Re: Archive database (projectb) queries for the public)
Next by Date: Re: Archive database (projectb) queries for the public
Previous by thread: Re: Archive database (projectb) queries for the public
Next by thread: Re: Archive database (projectb) queries for the public
Index(es):
- Date
- Thread