Re: Archive database (projectb) queries for the public
On Wed, Nov 20, 2013 at 07:35:06PM +0000, Mark Hymers wrote:
> On Tue, 19, Nov, 2013 at 08:37:17PM +0000, Ian Jackson spoke thus..
> > Jonathan McDowell writes ("Re: Archive database (projectb) queries for the public"):
> > > I don't think debian-keyring is the correct package for this. I think of
> > > the existing packages debian-archive-keyring is probably more
> > > appropriate. [...]
> >
> > Thanks for your comments.
> >
> > You are entirely right and I stand corrected.
>
> Sorry, that was my fault - I misspoke at the conference and said
> debian-keyring when I meant debian-archive-keyring.
>
> > The proposed key is not really an X.509 certificate in the normal
> > sense. It doesn't want all the machinery that the ca-certificates
> > package has to allow the user to choose to include (or not) particular
> > keys in the trusted set.
> >
> > Rather, the trust model is like the one for debian-archive-keyring:
> > there is a specific set of keys which the client software should use.
> > So in syntax it's an X.509 certificate, true, but the package it goes
> > into can treat it as an opaque blob to be simply shipped.
>
> Can I just say that I actually agree with Ian that a single purpose "CA"
> for this is a better match for what we're trying to achieve here rather
> than using an existing one. Basically, the "CA" is there to let us roll
> over keys more easily, but it shouldn't be used for any other service.
If it's only for a specific thing then debian-archive-keyring seems
perfectly reasonable to me. (Not that where it is affects me at all once
it's not in debian-keyring. ;)
J.
--
Revd Jonathan McDowell, ULC | I plead contemporary insanity.
Reply to: