Re: new archive signing keys for Debian 13/trixie

[Philipp Kern <pkern@debian.org>]

Hi,

On 4/6/25 4:04 PM, Simon Josefsson wrote:
> Some questions were asked in
> https://lists.debian.org/debian-devel/2024/02/msg00009.html quoted here
> again for easy reference:
>
> 2) For each private key, information about its management and lifecycle.
>     Relevant questions include:
>
>   a) How was the key generated?  By whom?  On what hardware?  What
>      software?  In what environment?  What legal jurisdiction apply to
>      people involved?
>
>   b) How is the key stored and protected during its lifetime?  What media
>      is used?  Who control the physical storage of the key?  How are they
>      stored and transported?  What jurisdiction?
>
>   c) Under what policy is the key used?  What should it sign?  Who
>      authorize the signing?  What hardware and software is used?  What
>      jurisdiction?
>
>   d) For externally held keys, what are the legal terms we use the keys
>      under?  What insight into key transparency questions do we have?
>      What of those can we make public?  How do they restrict what we are
>      allowed to do?

I understand that people would like transparency here. I am currently 
working on a key inventory. However I do not think that the time is 
right to put this all out into the open.

The crucial parts are okay to share: The online keys are hardware-backed.

In general it should not be surprising to observers that Debian is 
currently subject to the software export regime of the United States of 
America and thus our archive is living there.

If we want a key usage transparency log, I think that's fine - but 
that'd require an actual proposal, with code integrated into dak. Or 
optimally more generically in a way where we could also reuse it for 
other signatures like the ones generated for images.

Kind regards
Philipp Kern