[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Archive database (projectb) queries for the public

On 13398 March 1977, Ian Jackson wrote:
> Joerg Jaspert writes ("Re: Archive database (projectb) queries for the public"):
>> Part I is all nice and stuff, just needs an implementation.
> Great.  How can I help ?  This is on the critical path for anon dgit
> usage, so I care about it.

Talk to Mark (again :) ), he is in Cambridge and he is the one currently
driving it from our side.
Basically it needs doing it, and he started looking into frameworks.


> I don't know where the private key for the Debian CA is.

DSA.

> Or to put it another way: to make this work the Debian CA public key
> would have to be distributed in some binary package, identified as
> "the" public key to use for the ftpmaster data service (and perhaps
> other similar things).

It's a sub of SPI, SPIs is in the ca-cert package. Apache (can) provide a
chain, clients can validate a chain. Problem solved?

> Given that, it's not clear to me what security or convenience
> advantage we get from indirecting the authentication through the
> Debian CA, rather than distributing the ftpmaster data service public
> key directly.

Convenience - ftpmaster (or someone for us) doesn't have to handle yet
another CA/key.

> All that using the Debian CA does is introduce an additional critical
> key, with private key separately attackable (since it wouldn't be kept
> alongside the ftpmaster data service private key).

All that creating a new CA does is introduce an additional "critical" CA
to be attacked.

> An undetected compromise of the Debian CA private key would compromise
> the reliability of data seen by data service users.

Same goes for own CA, if you don't detect compromises you lost, no
matter which of the scenarios.

> As another example of a scenario where my proposal is better: in my
> proposal a compromised ftpmaster data service private key could be
> resolved quite quickly by a security update to debian-keyring (or
> whatever other package).  If we were to use the Debian CA it's
> difficult to see how this could be dealt with as quickly.  (I'm
> assuming no-one is suggesting we provide OCSP and require it to be
> working.)

I fail to see why one can't just do the same with the Debian CA if its
hacked? Make/Get a new one, distribute it to people?

> And using the Debian CA also means an additional group of people have
> to be involved in key rollover/confirmation.

A group that is doing this anyways (just not yet for us in this service,
the main ftpmaster site is ssled by them).

> (Using the SPI CA for this is just plain wrong.  There is no reason to
> introduce an external entity, however well-meaning or competent, into
> this process.)

I'm not considering a key issued directly by SPI, at maximum a CA issued
by them, which would have the benefit of the ca-certificates package as
said above.

-- 
bye, Joerg
Well, I’m tired of being a wannabe league bowler. I wanna be a league bowler!
Reply to: