On Sun, Nov 06, 2011 at 11:52:02AM +0100, Milan Zamazal wrote: > I also agree that having a best practice document is useful. > > Here are some suggestions for clarification: > > - The wiki page says: Meta-discussion note: the wiki page referred to is http://wiki.debian.org/subkeys -- and all the discussion so far has been about PGP encryption keys. Does anyone have any points about other kinds of security guidelines for Debian developers? Perhaps about how to properly check for rootkits on one's computer? > This is confusing as when someone gets access to signing and > encryption subkeys, he can also perform very harmful actions to Debian > etc. until the real owner detects the problem and revokes his subkeys > or until the subkeys expire. So keeping a master key very safe is > important for other reasons: to make replacing a compromised key > easier and to prevent signing other people's keys (until the > compromised master key is revoked). But not to make package uploads > safer, right? That's a fair point. Could you update the subkeys wiki page accordingly? > - It's not clear to me how much it makes sense (unless the key is > protected by a poor password) to keep a master key just on separate > offline drives if it is created or used on a system that has ever been > connected to a network, especially when the computer is used for other > purposes than signing. That's an important value decision: where do you draw the line? I don't think it's realistic to require Debian developers to have two computers, one dedicated for using with the master PGP key. Booting off a separate medium (CD or USB drive, for example) might be a practical enough. On the other hand, I'm OK with people keeping their development systems generally secure and then also using them for the master key. Thoughts? -- Freedom-based blog/wiki/web hosting: http://www.branchable.com/
Attachment:
signature.asc
Description: Digital signature