Re: apt in experimental (Re: APT 0.6 migration -- second status report)
On Wed, May 04, 2005 at 06:26:30PM -0400, sean finney wrote:
> istr discussing (or at least thinking to myself) a method of "rolling"
> keys, where one key was used to sign another key, which would then
> ideally be kept somewhere Safe for the case of unexpected expiration.
> this second key could then be used to sign a third key, and so-forth.
> i guess this wouldn't handle upgrades of apt that skipped a "key epoch",
> but that could probably be worked around by keeping the old keys around
> somewhere so that they could be used to somehow establish a chain of
> trust to the newest key.
> in the case of a compromise you'd still need an extra verification;
> because you'd have to assume that the compromised key could have been
> used by the mean people to sign phony keys. that could pretty easily
> be accomplished by attaching another d-d's signature to it when it
> was generated, right? if the key was really kept somewhere Safe, there
> would be no risk of the first key's compromise affecting it.
If you have some code which implements this, I will take a look, but this
sort of thing is very awkward to do with gpg, and I don't think that there
is much justification for this level of complexity. The existing scheme is
simple, and works.