Re: Security guidelines for Debian people
On Thu, November 3, 2011 18:44, Henrique de Moraes Holschuh wrote:
> On Thu, 03 Nov 2011, Jakub Wilk wrote:
>> * Lars Wirzenius <liw@liw.fi>, 2011-10-30, 17:33:
>> >>Personally, I think some guidelines for DD's about securing
>> >>their personal machines where their private keys are located
>> >>would be a good idea. It would be a lot better than just having
>> >>a vague and ineffable thing called "trust".
>> >
>> >I agree. I offer the following as a first approximation, targeted
>> >specifically for key management.
>> >
>> >* These are meant to provide an idea of the minimal acceptable
>> standard.
>> >* Store your master PGP keys on at least two USB thumb drives.
>>
>> This seems to suggest that having multiple copies of the PGP key
>
> Multiple *offline* copies, in an encrypted container.
This thread reminds me of a Dutch management book entitled "Managing
Professionals? Don't do it!"[1].
We shouldn't prescribe how many copies of a key one should keep where in
which crypto containers, or whether you should use an USB thumb drive,
smart card or a floppy to do it.
DD's are technically competent people and are perfectly able to decide
what adequate protection for their private key material should look like.
They don't need the guidelines for that, in fact, they can do without the
associated signal that there's a need that they be micromanaged about
this.
Indeed, I oppose the assertion that such guidelines are 'a lot better than
just having a vague and ineffable thing called "trust"'. Trusting DD's to
do the right thing is an important value for Debian.
Thijs
[1] 9789055943524
Reply to: