Re: TLS key for api.ftp-master.debian.org

[Ian Jackson <ijackson@chiark.greenend.org.uk>]

Peter Palfrader writes ("Re: TLS key for api.ftp-master.debian.org"):
> On Fri, 07 Nov 2014, Mark Hymers wrote:
> > As far as I'm concerned, the main thing if we're going to publicise the
> > key is to have a clean rollover strategy.  Frankly, I'm not sure that I
> > want to commit to dealing with this side of it - SSL certs are part of
> > the infrastructure really, and I'm inclined to defer to DSA on this.
> 
> We (and SPI) have operated an X509 CA in the past.

I am definitely not suggesting running a real CA.

I'm suggesting that we generate a new service-specific root psuedo-CA
for each service.  The psuedo-CA key would be used to sign one cert,
ever: the cert on the service-specific EE key.

Key rollover is done as follows:

1. Generate new EE key and new pseudo-CA; sign new EE key with
   new pseudo-CA key.  Throw away new pseudo-CA private key.

2. Put new pseudo-CA public key in debian-archive-keyring.deb
   (in the form of its X.509 root certificate), alongside the
   old one.

3. Wait.

4. When all systems in the field are expected to have the new
   debian-archive-keyring.deb installed, switch the actual webserver
   to use the new EE key and the new cert.

Ian.