On Fri, 2014-06-20 at 09:17 +0200, Raphael Hertzog wrote: > Why not switch it to something more dynamic ? Sounds good... > Make the package an empty shell with symlinks pointing to > /var/lib/debian-keyring/, add a cron job that rsyncs the keyring > to that directory. I've just thought about that... and my initial thought was... use they global keyserver network for this. But my second thought reminded me of what I often brought up here before and what I've now forgot myself: If you use the keyserver network, a solution like rsync or anything similar... then you may easily become vulnerable to blocking/downgrade attacks. Examples: - I pull in new keys/signatures either via SKS keyservers, rsync or some other dynamic method. - Attacker gives me however an old state of the keys/signatures, where e.g. a compromised key is not yet revoked, or he simply drops the revocation signature.. - I won't notice this, any happily verify and packages/etc. since I think the signature is still valid. Thus, if any dynamic key retrival would be implemented, the following would have to be done: - secured connection to some fully trusted server (i.e. not one that uses hkps with GANDI certs :P) in order to prevent any blocking attacks. - some valid from/through information would need to be verified in order to prevent any downgrade/replay attacks. Cheers, Chris.
Attachment:
smime.p7s
Description: S/MIME cryptographic signature