Re: Request for Help: apt 0.6
Florian Weimer wrote:
> * Henrique de Moraes Holschuh:
> > You still need to deal with key revocation and a new key being needed,
> > anyway. Yearly changes will not make it more difficult, it will make sure
> > those codepaths are tested (and used at least once an year).
> I can understand that in an ideal world, there would be a master key
> stored off-line which would be used to sign (and revoke) the release
> keys. In case of a compromise, the master key can be used to
> introduce a new release key (without intervention by the system
> administrator).
>
> But I doubt this is really necessary. If the release key is
> compromised, a DSA would have to be released anyway. This advisory
> would include the necessary steps to remove the compromised key from
> the system. Do we really need to automate this?
>
> You could even argue that the scheme without a master key is more
> secure because the number of trusted parties is smaller, and no one
> can introduce a new release key in a covert manner. It boils down to
> what we are trying to secure. AFAICS, the main risks are network
> layer attacks on the user and mirror breaches. Easy recovery from a
> compromised archive infrastructure shouldn't be a top priority, and it
> might well be impossible if the attack was successful (the "single
> point of ownership" problem).
Even though this will probably work well on a small scale, it won't on
a large scale. Just think about the installations of 500 or 1000
Debian machines that also have security support. This is not
hypothetical. These installations do exist. You don't want to
install a new key manually on them.
Regards,
Joey
--
Open source is important from a technical angle. -- Linus Torvalds
Please always Cc to me when replying to me on the lists.
Reply to: