[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: bits from the release team

* Goswin von Brederlow:

> Florian Weimer <fw@deneb.enyo.de> writes:
>> * Goswin von Brederlow:
>>> Doesn't work if the key is ever compromised and a new one has to be
>>> created out of schedule. Or when you spend your x-mas holidays away
>>> from your system and couldn't upgrade before new years eve.
>> Exactly, and this begs the question why we rotate keys at all.
> A key might be compromised without our knowledge.

Wouldn't it make more sense to rotate it monthly, then?  Why only
replace it once a year?  Why not once every three years?  Or once per
release cycle?

> But that is not relevant to the problem. Experience shows that keys do
> get compromised and need changing. So rotation or no rotation the key
> change has to be handled anyway. Rotation just adds it at specific
> intervals on top of random events.

Could you point me to a deployment which relies on key rotation to
deal with key compromises? 8-)

Our users would surely thank us if we just put that damn key onto an
HSM[1] (so that a host compromise would allow an attacker to generate
a limited signatures only, while he or she has got access to the host).

[1] Even one of those OpenPGP smartcard would be good enough because
    we only need to make a few signatures once or twice a day.

Reply to: