[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: APT public key updates?

On Thu, Jan 05, 2006 at 11:15:08PM -0800, Thomas Bushnell BSG wrote:
> But that means that AJ should rotate his key too. 

Yes. In theory I'd do that once every five years or so; in practice
longer. :-/

> Another way to put the same point, inverted if you will, is to ask why
> it's ok to trust AJs non-rotating key, but not to trust a non-rotating
> archive key.

The archive key should rotate more often than my personal key because it's
more vulnerable. An additional reason to rotate it is that it's possessed
by different people -- in 2004, it could be accessed by ftpmaster (James,
Ryan, Randall, Dan, Mike and me) and by various DSA folks (Wichert and
Joey, in particular I think); this year's can be accessed by ftpmaster by
not ftp assistants (so James, Ryan and me), and DSA folks. Key rotation
(whether scheduled or unscheduled) is the only way to ensure people's
authorisation can actually be revoked.

> I think I now understand better, and I can better express the
> uncertainty I was groping at.  A key is only as good as the keys that
> sign it.  

No, a key is only as good as (a) how hard it is to break; and (b) how
easy it is to trust. Key rotation helps make it harder to break (since
the 2004 key won't do you much good now); and also forces us to consider
how to make new keys easy to trust, which we otherwise might neglect.

> But in order to validate the new key, which is only as good as its
> signatures, I must rely on whatever signs the new key.

There are out of band ways too; if you trust publishers to not be trying
to actively exploit you, you can look at fingerprints published in a book;
if you trust that your ISP is pretty reliable, you might be confident 
that http://ftp-master.d.o/ziyi_key_2006.asc is actually what it should be;
if you trust that any attacker is going to have limited power, you might be
confident that looking at a variety of books, or downloading the key from a
variety of ISPs on different days will only result in the same fingerprint if
it's the correct one.

> I trust AJ.  So I trust AJ to sign the new key correctly.

You can also look at James', Ryan's or Steve's signature on the key, and trust
that they've verified it appropriately, if you trust them.

> Surely, it
> seems to me, the risk of AJ allowing his own key to be compromised is
> just about the same as the risk of his allowing the archive key to be
> compromised.  What am I missing?

That one day I might not be ftpmaster, so you'll need some other way to
verify the next key we put out -- whether due to an annual rotation,
an actual compromise, a key length upgrade, a potential compromise,
catastrophic data loss, or some other reason.

So you need something more than just "I trust AJ". No one's worked out
exactly what that should be yet.


Attachment: signature.asc
Description: Digital signature

Reply to: