[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Official Debian digital 'branding' of debs

>>"Rene" == Rene Mayrhofer <rmayr@vianova.at> writes:

 >> If we have a single key, and it is ever compromised, it shall
 >> be major news, and people whould be informed of the compromise a lot
 >> easier. We then just distribute the new key, which maybe signed by a
 >> number of developers (lotsa phone calls to get that done).
 Rene> There would be work to do, but I do not think that it could
 Rene> compromise the whole security system. Maybe apt could check for
 Rene> the "one and only" public key before downloading new packages
 Rene> from the official distribution. When there is no key (it has
 Rene> been removed because it has been compromised), than simply do
 Rene> not download new packages since there is a new key.

        Actually, I was thinking of a two phase system. The
 one-and-only Debian key would emrely be used for signing the keyring
 package (and possibly the indidual keys, but that makes removing keys
 from the trusted set harder, and the master key compromise gets

        So, only use debian-keyring packages that are signed by the
 master key, and; if the master key is compromised, get the new
 keyring package.

        To compromise the security, one would have to not only have
 compromised the master key, one would have had to compromise the
 debian keyring package, which is also signed by the maintainer.

 "Money is the root of all money." the moving finger
Manoj Srivastava   <srivasta@debian.org>  <http://www.debian.org/%7Esrivasta/>
Key C7261095 fingerprint = CB D9 F4 12 68 07 E4 05  CC 2D 27 12 1D F5 E8 6E

Reply to: