Re: Security guidelines for Debian people
* Thijs Kinkhorst (thijs@debian.org) [111105 08:57]:
> On Thu, November 3, 2011 18:44, Henrique de Moraes Holschuh wrote:
> > On Thu, 03 Nov 2011, Jakub Wilk wrote:
> >> * Lars Wirzenius <liw@liw.fi>, 2011-10-30, 17:33:
> >> >>Personally, I think some guidelines for DD's about securing
> >> >>their personal machines where their private keys are located
> >> >>would be a good idea. It would be a lot better than just having
> >> >>a vague and ineffable thing called "trust".
> >> >
> >> >I agree. I offer the following as a first approximation, targeted
> >> >specifically for key management.
> >> >
> >> >* These are meant to provide an idea of the minimal acceptable
> >> standard.
> >> >* Store your master PGP keys on at least two USB thumb drives.
> >>
> >> This seems to suggest that having multiple copies of the PGP key
> >
> > Multiple *offline* copies, in an encrypted container.
>
> This thread reminds me of a Dutch management book entitled "Managing
> Professionals? Don't do it!"[1].
>
> We shouldn't prescribe how many copies of a key one should keep where in
> which crypto containers, or whether you should use an USB thumb drive,
> smart card or a floppy to do it.
i agree, rules like that become silly, quickly. but if someone
explains good "best practice" to me and motivates why it is
better then the alternatives, and how to integrate it into your
workflow and life, i certainly would be interested.
> DD's are technically competent people and are perfectly able to decide
> what adequate protection for their private key material should look like.
> They don't need the guidelines for that, in fact, they can do without the
> associated signal that there's a need that they be micromanaged about
> this.
>
> Indeed, I oppose the assertion that such guidelines are 'a lot better than
> just having a vague and ineffable thing called "trust"'. Trusting DD's to
> do the right thing is an important value for Debian.
i agree 112%.
Reply to: