Re: Archive database (projectb) queries for the public
On Tue, 19, Nov, 2013 at 08:37:17PM +0000, Ian Jackson spoke thus..
> Jonathan McDowell writes ("Re: Archive database (projectb) queries for the public"):
> > I don't think debian-keyring is the correct package for this. I think of
> > the existing packages debian-archive-keyring is probably more
> > appropriate. [...]
>
> Thanks for your comments.
>
> You are entirely right and I stand corrected.
Sorry, that was my fault - I misspoke at the conference and said
debian-keyring when I meant debian-archive-keyring.
> The proposed key is not really an X.509 certificate in the normal
> sense. It doesn't want all the machinery that the ca-certificates
> package has to allow the user to choose to include (or not) particular
> keys in the trusted set.
>
> Rather, the trust model is like the one for debian-archive-keyring:
> there is a specific set of keys which the client software should use.
> So in syntax it's an X.509 certificate, true, but the package it goes
> into can treat it as an opaque blob to be simply shipped.
Can I just say that I actually agree with Ian that a single purpose "CA"
for this is a better match for what we're trying to achieve here rather
than using an existing one. Basically, the "CA" is there to let us roll
over keys more easily, but it shouldn't be used for any other service.
Mark
--
Mark Hymers <mhy at debian dot org>
"We have three realistic alternatives: (1) Sit here and get blown up, (2)
Stand here and get blown up, (3) Jump up and down, shout at me for not being
able to think of anything, then get blown up."
Holly, Red Dwarf Series III - Bodyswap
Reply to: