[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Debian and GPG/PGP key handling

A few days ago, I took two actions regarding the two keys (a PGP one
as well as a GPG one) I use for Debian (and for general purpose):

  (1) I revoked my PGP key as I prefer to use my GPG and DSA/ElGammal
      rather than RSA/IDEA;

  (2) I added a new UID which has been signed by a lot of people and
      created a subkey that I use for signing.

Then I tried to update Debian's knowledge of my keys by:

  (1) Uploading the updated versions of this key to keyring.debian.org

  (2) Sending a mail explaining that to keyring-maint@debian.org.

Note that no new key has been created, this is only a revocation of an
existing key and a modification of an existing one as well. Both are
already known by Debian and have been used to sign package changes.

As of today, my keys have not been taken in account yet. My record on
db.debian.org contains the old version of the keys, and some uploads
have been refused (because the new subkey is not known yet). While the
latter is only a minor inconvenience (as I can sign package changes
with my primary GPG key), the first one is worrysome. It means that my
revoked key can still be used to upload Debian packages.

Fortunately, I revoked this key as a maintenance operation. But what
happens if a developer gets its key compromised? Does he have any way
of making sure that the revocation certificate he generates will be
taken in account immediately?

I think that developers (and anyone in fact) should be able to update
keys in Debian's keyring (let's not forget that any operation
potentially harmless to the project needs the owner to sign the
operation, so this is not a risk) and those changes should be taken in
account immediately.

What do other developers think? Is it worth developing a little piece
of code so that keys sent to key-update@debian.org (or whatever) *and*
already existing in the keyring are incorporated automatically?


PS/  please let's not make this a flamewar: keyring-maint@debian.org
     did nothing wrong by not answering my mail immediately, I just
     question the procedure for updating keys that could be made
     automatic for the benefit of everybody;

PPS/ also, if you do not exactly understand how uids, subkeys and revocation
     certificates work, please refrain from answering this mail before
     reading the documentation on, for example, http://www.gnupg.org/
Samuel Tardieu -- sam@debian.org

Attachment: pgp3FKfXJWOaL.pgp
Description: PGP signature

Reply to: