Re: APT public key updates?

To: debian-devel@lists.debian.org
Subject: Re: APT public key updates?
From: Thomas Bushnell BSG <tb@becket.net>
Date: Thu, 05 Jan 2006 23:15:08 -0800
Message-id: <[🔎] 874q4hesjn.fsf@becket.becket.net>
In-reply-to: <[🔎] 20060106033836.GG24652@tennyson.dodds.net> (Steve Langasek's message of "Thu, 5 Jan 2006 19:38:37 -0800")
References: <[🔎] 2fl64oz1tpi.fsf@saruman.uio.no> <[🔎] 1136416078.4526.1.camel@localhost> <[🔎] 20060105200205.GB20228@kitenet.net> <[🔎] 20060105221306.GA8597@top.ping.de> <[🔎] 2flr77mp5lx.fsf@saruman.uio.no> <[🔎] 20060106003106.GD24652@tennyson.dodds.net> <[🔎] 877j9ep4ny.fsf@becket.becket.net> <[🔎] 20060106033836.GG24652@tennyson.dodds.net>

Steve Langasek <vorlon@debian.org> writes:

> For a user with a compromised local network, the only safe solution is to
> validate the new key via some web of trust.  This is the feature that's
> missing today, to give Joe User some reasonable method of checking keys
> against the web of trust before importing them.

I think I understand now.  This is very helpful.

So suppose I said that "I trust keys sign by AJ Towns."  I could then
indicate that.  Of course, I am now susceptible to any compromise of
AJ's key, right?

But that means that AJ should rotate his key too.  How do I know which
key is really AJs?  By checking the signatures, from keys which could
be compromised and so they should rotate.  And so on, and so on.  All
of us need to start rotating all out keys in order for this to work.

Another way to put the same point, inverted if you will, is to ask why
it's ok to trust AJs non-rotating key, but not to trust a non-rotating
archive key.

>> If the key is compromised, which is the only way the non-expiring key
>> method can be broken, then the expiring key doesn't seem to be
>> offering all that much additional security.  
>
> Indeed it doesn't.  Ideally, if the previous key has been compromised, users
> would be verifying the integrity of the new key using other signatures; but
> in the worst case, verifying using the signature from the previous key (if
> they're disconnected from the web of trust) is no worse than not being able
> to verify it at all.

I think I now understand better, and I can better express the
uncertainty I was groping at.  A key is only as good as the keys that
sign it.  The reason for rotating the key is that there is some
non-zero risk that it will be compromised, and this limits exposure.
But in order to validate the new key, which is only as good as its
signatures, I must rely on whatever signs the new key.

I trust AJ.  So I trust AJ to sign the new key correctly.  Surely, it
seems to me, the risk of AJ allowing his own key to be compromised is
just about the same as the risk of his allowing the archive key to be
compromised.  What am I missing?

Thomas

Reply to:

Follow-Ups:
- Re: APT public key updates?
  - From: Anthony Towns <aj@azure.humbug.org.au>
- Re: APT public key updates?
  - From: Steve Langasek <vorlon@debian.org>

References:
- APT public key updates?
  - From: Petter Reinholdtsen <pere@hungry.com>
- Re: APT public key updates?
  - From: Daniel Leidert <daniel.leidert.spam@gmx.net>
- Re: APT public key updates?
  - From: Joey Hess <joeyh@debian.org>
- Re: APT public key updates?
  - From: Michael Vogt <mvo@debian.org>
- Re: APT public key updates?
  - From: Petter Reinholdtsen <pere@hungry.com>
- Re: APT public key updates?
  - From: Steve Langasek <vorlon@debian.org>
- Re: APT public key updates?
  - From: Thomas Bushnell BSG <tb@becket.net>
- Re: APT public key updates?
  - From: Steve Langasek <vorlon@debian.org>

Prev by Date: Re: APT public key updates?
Next by Date: Re: APT public key updates?
Previous by thread: Re: APT public key updates?
Next by thread: Re: APT public key updates?
Index(es):
- Date
- Thread