Re: Q: Where is keyring packaging guideline?

To: Adam Borowski <kilobyte@angband.pl>
Cc: debian-devel@lists.debian.org
Subject: Re: Q: Where is keyring packaging guideline?
From: Wouter Verhelst <wouter@debian.org>
Date: Tue, 21 Aug 2018 15:41:20 +0200
Message-id: <[🔎] 20180821134120.GB22527@grep.be>
In-reply-to: <[🔎] 20180821111503.xwvzb3bh56zx7cxq@angband.pl>
References: <[🔎] CAJW8SQckL49vZCMLxf6MLUDKzfbkBgby3TPh031c39VqDvZisw@mail.gmail.com> <[🔎] CAKTje6EsFRrte5BFKwqdqjBgCxG+LLxTp1faasLvK8qthnAU1Q@mail.gmail.com> <[🔎] 20180821111503.xwvzb3bh56zx7cxq@angband.pl>

On Tue, Aug 21, 2018 at 01:15:03PM +0200, Adam Borowski wrote:
> On Tue, Aug 21, 2018 at 01:39:29PM +0800, Paul Wise wrote:
> > On Tue, Aug 21, 2018 at 1:21 PM, Kentaro Hayashi wrote:
> > 
> > > I want to make 3rd party keyring package (ITP). In the advance, I
> > > want to know a best practice about *keyring* packaging. Any hints?
> > 
> > >   sudo apt install -y -V --allow-unauthenticated foobar-keyring
> > >   This is reasonable because there is no correct key yet before
> > >   installing it.
> > 
> > I don't think this is appropriate at all. Instead, always use an
> > out-of-band mechanism for confirming the appropriate OpenPGP keys.
> > Having the keyring package in Debian itself is a good idea, but at
> > very bare minimum, download the key or fingerprint from a website that
> > uses a valid TLS certificate according to the X.509 CA trust model.
> 
> Uh, what?
> 
> You do realize that the CA cartel model is security theatre, intentionally
> subverted to provide so-called "responsible encryption"?  To break it, you
> need to either:
> * control _any_ of thousands of CAs (not merely roots), many of which have
>   already been caught issuing MITM certs or are otherwise well-known to be
>   conducting massive scale MITM by other means.  Some of those were papered
>   over as "it was just a honest error, we swear!", some led to removal from
>   ca-certificates -- all while multiple other CAs controlled by the same
>   government are still there.
> * get hold of a SSL private key.  Unlike gpg which can be done offline, SSL
>   keys must be available on every front-end server all the time.
> 
> Thus, having a trust anchor provided in the Debian archive would be a
> massive improvement.

Sure. But what Paul mentioned "at very bare minimum". That is, better
options are available, but it's easy to do better than
"--allow-unauthenticated" and that should really not be encouraged.

I agree that having a key fingerprint on a valid TLS website is less
good than having a trust anchor in Debian, but it is much better than to
just install any random key with --allow-unauthenticated, or something
similar.

-- 
Could you people please use IRC like normal people?!?

  -- Amaya Rodrigo Sastre, trying to quiet down the buzz in the DebConf 2008
     Hacklab

Reply to:

Follow-Ups:
- Re: Q: Where is keyring packaging guideline?
  - From: Adrian Bunk <bunk@debian.org>

References:
- Q: Where is keyring packaging guideline?
  - From: Kentaro Hayashi <kenhys@gmail.com>
- Re: Q: Where is keyring packaging guideline?
  - From: Paul Wise <pabs@debian.org>
- Re: Q: Where is keyring packaging guideline?
  - From: Adam Borowski <kilobyte@angband.pl>

Prev by Date: Re: Q: Where is keyring packaging guideline?
Next by Date: Re: Q: Where is keyring packaging guideline?
Previous by thread: Re: Q: Where is keyring packaging guideline?
Next by thread: Re: Q: Where is keyring packaging guideline?
Index(es):
- Date
- Thread