[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: APT public key updates?

On Fri, Jan 06, 2006 at 05:22:44AM +0100, Bernd Eckenfels wrote:
> Nick Phillips <nwp@nz.lemon-computing.com> wrote:
> > If the 2006 key takes (say) 15 months to compromise, then it is fine
> > to use it to sign and verify the new key on 1/1/2007, so long as you
> > perform that verification before March...
> Or be able to proof the date of signing.

The only way to be confident the signing date is X/Y/ZZZZ is to have
had the key on that date -- otherwise someone can just set their clock
back, sign it with that date, and pretend "oh yeah, I did sign it then,
I just forgot to upload".

> > IOW using the old key to sign the new key only requires that the old
> > key be "good" at one point during the new year, whereas continuing to
> > use the old key requires that it be "good" all year.
> Yes, but it breaks a long term usage like web of trust.

How so? In the long term you end up with "aj signed 2005, aj and 2005
signed 2006, 2005 is expired"; I don't think there's anything broken in
that situation. 

We could potentially have the N key remain unexpired for the entire
period the N+1 key is used; or maybe have overlapping keys, so that:

    2006/01/01 - 2006/06/30: signed with 2006 key
    2006/07/01 - 2006/12/31: signed with 2006 + 2007 key

    2007/01/01 - 2007/06/30: signed with 2006 + 2007 key
    2007/07/01 - 2007/12/31: signed with 2007 + 2008 key

    2008/01/01 - 2008/06/30: signed with 2007 + 2008 key
    2008/07/01 - 2008/12/31: signed with 2008 + 2009 key

and in the event of a compromise, sign with:

    2006, 2007, 2006-reissued, 2007-reissued

on the basis that signing with the compromised 2006,2007 keys doesn't
add security, but doesn't take it away either, and that the keys will
be removed from the user's keyrings as part of a security update signed
in the above manner.

The above assumes keys represent one year, but are used for two years;
having them represent 6 months instead would allow them to continue expiring
after one year.


Attachment: signature.asc
Description: Digital signature

Reply to: