[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Request for Help: apt 0.6

On Mon, Feb 14, 2005 at 08:04:51PM +0100, Peter Palfrader wrote:
> A similar 2 key system is probably a good idea for security, and maybe
> also for the normal rotated keys (just ship 2005 and 2006 keys now).

i think having two keys would make logistics a lot simpler for release
upgrades, assuming we had a system that mandated valid gpg signatures.
like you suggest, only use one of the two keys, and additionally have
the backup key's secret stored offline in a safe place (does SPI have
a lock box or safe deposit box we could use?).

when it comes time for a new release, or if there is a serious security
breach, et c, the new key could be brought out, used to sign a new backup
key (which would be placed back in the lockbox), the package providing the
key could be updated, and life could happily go on.



Attachment: signature.asc
Description: Digital signature

Reply to: