[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: State of the debian keyring

Matthias Urlichs dijo [Sun, Feb 23, 2014 at 10:23:47AM +0100]:
> That's somewhat true for now given a sufficiently-motivated attacker, but
> if *afterwards* some nefarious $CENSORED gets the idea that $DD would be a
> nice target for hacking their key, they'd be out of luck. They'd also be
> out of luck if the DD's new key happens to already exist (which the DD
> who's asked to sign the new key should obviously check).
> Thus I would add the new key provisionally; if it doesn't get any new
> signatures from DDs with non-provisional strong keys during, say, the
> rest of this year, then delete it from the keyring.

Our tools (and I don't only mean keyring-maint, but our projectwide
tools) support only one key per person. And frankly, I do not see a
case where adding a second one would increase security. Yes, it could
make the transition a little bit easier, but I don't think it is a
change we should push. (Or maybe I misunderstood your suggestion).

> However, I see another problem.
> http://keyring.debian.org/replacing_keys.html states that, if Alice wants to
> get her key X replaced with key Y,
> >> Alice must get a Debian developer […] to sign a message requesting the
> >> replacement of key X with key Y on behalf of Alice
> … which IMHO is an unnecessary burden if Alice's old and new key are
> valid and sufficiently DD-signed.

Well, it is a hurdle, but not an insurmountable one. If you have an
active, valid key, you can just sign with your own key and get a new
one in the keyring, as long as it has at least two DD signatures. That
assures us your computer was not h4x0red in order to steal your
identity and lock you out. Say, in this (usual) case, "you" and
"Alice" can be the same party.

Now, if you lost control of your key (say, stolen computer), as soon
as we get notice, we will retire your key (and that's not subject to
our usual one month cycle as I told Marco for a *regular* key
replacement). In order to get your key signed, we need an
already-authenticated Alice (an Alice with her key in the keyring) to
produce the request. The new key must, of course, meet our standards —
Must have two DD signatures on it. Note that it does *not* require
Alice's signature to be on it.

Attachment: signature.asc
Description: Digital signature

Reply to: