Re: Official Debian digital 'branding' of debs
Hi,
>>"Rene" == Rene Mayrhofer <rmayr@vianova.at> writes:
>> If we have a single key, and it is ever compromised, it shall
>> be major news, and people whould be informed of the compromise a lot
>> easier. We then just distribute the new key, which maybe signed by a
>> number of developers (lotsa phone calls to get that done).
Rene> There would be work to do, but I do not think that it could
Rene> compromise the whole security system. Maybe apt could check for
Rene> the "one and only" public key before downloading new packages
Rene> from the official distribution. When there is no key (it has
Rene> been removed because it has been compromised), than simply do
Rene> not download new packages since there is a new key.
Actually, I was thinking of a two phase system. The
one-and-only Debian key would emrely be used for signing the keyring
package (and possibly the indidual keys, but that makes removing keys
from the trusted set harder, and the master key compromise gets
worse).
So, only use debian-keyring packages that are signed by the
master key, and; if the master key is compromised, get the new
keyring package.
To compromise the security, one would have to not only have
compromised the master key, one would have had to compromise the
debian keyring package, which is also signed by the maintainer.
manoj
--
"Money is the root of all money." the moving finger
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/%7Esrivasta/>
Key C7261095 fingerprint = CB D9 F4 12 68 07 E4 05 CC 2D 27 12 1D F5 E8 6E
Reply to: