Re: bits from the release team

[Florian Weimer <fw@deneb.enyo.de>]

* Pierre Habouzit:

> Proposal 1:
> Proposal 2:
> Proposal ...:

Sure, it is possible to devise arbitrarily complex schemes.  For a key
that is basically used to create a digital signature that protects
against tampering along the mirror network, even yearly key rotation
is way over the top.

> IMHO, changing the key every year at any date is not problematic at all, 
> because there is plenty of solution to do smooth replacement of the 
> key.

Our past experience totally and completely contradicts your claim.  So
far, each key transition has posed difficulties to significant numbers
of users, even though no stable release had been affected.

This is not a Debian-specific problem.  Symantec and Microsoft
customers exprienced significant trouble related to key rollover
issues.  The web browser vendors and the browser PKI auditors view key
rollover as a significant risk, and demand that CA root certificates
do not expire at all.  The DNSSEC folks haven't found a solution to
this problem, either.

Based on these observations, I conclude that periodic key rollover for
keys that are used in behind-the-scenes cryptographic operations
simply does not work, and it's not terribly likely that it ever will.
Forcing it on Debian users would be madness.