Re: TLS key for api.ftp-master.debian.org
Peter Palfrader writes ("Re: TLS key for api.ftp-master.debian.org"):
> On Fri, 07 Nov 2014, Mark Hymers wrote:
> > As far as I'm concerned, the main thing if we're going to publicise the
> > key is to have a clean rollover strategy. Frankly, I'm not sure that I
> > want to commit to dealing with this side of it - SSL certs are part of
> > the infrastructure really, and I'm inclined to defer to DSA on this.
>
> We (and SPI) have operated an X509 CA in the past.
I am definitely not suggesting running a real CA.
I'm suggesting that we generate a new service-specific root psuedo-CA
for each service. The psuedo-CA key would be used to sign one cert,
ever: the cert on the service-specific EE key.
Key rollover is done as follows:
1. Generate new EE key and new pseudo-CA; sign new EE key with
new pseudo-CA key. Throw away new pseudo-CA private key.
2. Put new pseudo-CA public key in debian-archive-keyring.deb
(in the form of its X.509 root certificate), alongside the
old one.
3. Wait.
4. When all systems in the field are expected to have the new
debian-archive-keyring.deb installed, switch the actual webserver
to use the new EE key and the new cert.
Ian.
Reply to: