On Wed, Jun 18, 2014 at 10:05:32AM -0700, Russ Allbery wrote: > Vincent Lefevre <vincent@vinc17.net> writes: > > On 2014-06-17 13:20:59 +0100, Simon McVittie wrote: > > >> It should be possible to make a CA certificate that is only considered to > >> be valid for the spi-inc.org and debian.org subtrees, and then trust the > >> assertion that SPI control that certificate - but in widely-used > >> applications, that isn't possible. If SPI can sign certificates for > >> debian.org, then they can also sign certificates for my bank, and my > >> browser will think those are just as valid. > > > I agree. However I don't think that the particular case of a Debian Root CA > > would be a problem, since you must absolutely trust it. If something bad > > happens at this level, this would mean that downloaded packages from > > debian.org may actually be compromised ones, and in such a case, your whose > > machine should be regarded as compromised. > > This is only true if the root CA is maintained with the same level of > security as the PGP signing key for the archive. While that's something that > we could probably do (although it's worth not underestimating how much care > goes into maintaining that key), we cannot maintain the same level of > security on the individual certificates signed by that CA. In order to use > them to secure apt transactions, this necessarily implies distributing the > private keys across our mirror network. We _could_ become a PKI and ask that the mirror operators submit CSRs. They would retain the private key, we'd issue a certificate signed by the Debian CA. We could revoke (hah!) certificates if a mirror operator goes away or misbehaves. We could configure apt to only accept the Debian CA and certificates it issues, and to fail if the CRL/OCSP is unreachable. > The signing key for the archive is inherently much easier to secure properly > than any user-facing key for a debian.org domain because the signing key for > the archive can live on one and only one machine that is secured as tightly > as we are capable of securing it and which is under the exclusive control of > the relevant core teams in Debian. > > Because of that, I would much rather find good ways to trust the PGP > signatures on the archive than to attempt to do anything with X.509. The > trust model and key management properties of X.509 are inherently inferior > for our purposes. But I far prefer the OpenPGP approach to securing the Archive. -- Luca Filipozzi http://www.crowdrise.com/SupportDebian
Attachment:
signature.asc
Description: Digital signature