Re: State of the debian keyring

To: Jonathan McDowell <noodles@earth.li>
Cc: debian-project@lists.debian.org, keyring-maint@debian.org
Subject: Re: State of the debian keyring
From: Henrique de Moraes Holschuh <hmh@debian.org>
Date: Sun, 23 Feb 2014 22:45:33 -0300
Message-id: <20140224014533.GA8063@khazad-dum.debian.net>
In-reply-to: <20140223172214.GY27090@earth.li>
References: <20140123220729.GA25523@scru.org> <20140222224148.GA2130@scru.org> <20140222234641.GA31478@roeckx.be> <20140223003506.GE30391@gwolf.org> <CAKTje6G5qiCLM3VFqh1i5c33g7B1rs60WmrJz0-7mYrsPmbwKA@mail.gmail.com> <20140223133005.GW27090@earth.li> <20140223154937.GA28552@khazad-dum.debian.net> <20140223172214.GY27090@earth.li>

On Sun, 23 Feb 2014, Jonathan McDowell wrote:
> On Sun, Feb 23, 2014 at 12:49:37PM -0300, Henrique de Moraes Holschuh wrote:
> > On Sun, 23 Feb 2014, Jonathan McDowell wrote:
> > >  * Requests need to include the full fingerprint of both the old and the
> > >    new key. Not just the key IDs. Not just the new key. We want to be
> > >    absolutely certain of what you're requesting replaced. I quite like
> > >    seeing the actual "gpg --fingerprint" output for both keys because it
> > >    tends to be quite easy to visually verify.
> > > 
> > >  * The new key must be signed by the old key that is being replaced.
> > > 
> > >  * The new key must be signed by 2 other keys that are present in the
> > >    Debian keyring.
> > > 
> > >  * The request must be signed by the old key. Signing the request with
> > >    the new key alone is not helpful - requests must always be signed by
> > >    a key that is currently in the active keyring. Signing it with both
> > >    is fine, but not required.
> > > 
> > >  * You should specify *why* you want to replace your key. Knowing that
> > >    it's because you're moving to a stronger key rather than because your
> > >    old key is compromised / unavailable / on fire helps us prioritise
> > >    things.
> > 
> > This is not what is written here:
> > http://keyring.debian.org/replacing_keys.html
> > 
> > Please update that page.  In particular, it *requires* a third party to
> > request the key swap on your behalf.
> 
> Paragraph 2 on that page states:
> 
> | If key X is still valid then Alice may sign the request using that key,
> | but must ensure key Y is signed by key X as well as at least 2 other
> | active Debian developers whose keys are in the keyring.

Hmm, ideed it does!  My bad, I apologise.

> What would you suggest as alternative wording which is clearer?

Well, since I did read that page three times in separate days and failed to
properly parse it, it does look like it might benefit from being a bit more
clear [1].

I suggest breaking the page into two separate sections, one for each main
use case:

1.  Key replacement protocol to use when the original key was NOT
    lost/compromised/revoked/destroyed and can still be used.

2.  Key replacement protocol to use when the original key *WAS*
    lost/compromised/revoked/destroyed and should not/cannot be used
    anymore.

I'd also drop any language that discourages key replacements and upgrades.
We *want* to get people to replace their keys more often than once every 15
years, and it is better for everyone if proper key expirity is used so that
cruft in the public keyring ends up expiring eventually.

Maybe we want to keep discouraging main key replacement "just because it
expired", but it should be clear that only applies if the key is recent
(less than two years old, IMHO).

We certaily don't want to make it look like key expirity is a bad thing.

Also, IMHO we do want subkeys to expire (and get replaced) a lot more often
as that doesn't require expensive human oversight (IMHO subkeys should be
replaced at least once every two years, and I'd prefer to do have them
expire in 2 years, with the rollover done a few months after the one-year
mark)[2].

[1]  That paragrah does everything you must never do when trying for text
clarity:  it is a paragraph with an absolute/extremely strong key (first)
sentence, has dense text, and a last sentence that contradicts the key
sentence through a weak conditional -- it is no wonder some people will fail
to grasp the desired idea unless they're paying a _lot_ of attention and
reading very slowly.

[2] subkey rollover is damn easy and automated: generate new subkeys, and
upload the key (which should still have the old set of subkeys as well as
the new set of subkeys) to the Debian keyserver and to the public keyserver
network.  Do that at least three months before the old set of subkeys will
expire.   NEVER remove the old subkeys from your own keys, even after they
expired, unless you *really* know what you're doing (and always keep
backups).

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Reply to:

References:
- Re: State of the debian keyring
  - From: Clint Adams <clint@debian.org>
- Re: State of the debian keyring
  - From: Kurt Roeckx <kurt@roeckx.be>
- Re: State of the debian keyring
  - From: Gunnar Wolf <gwolf@gwolf.org>
- Re: State of the debian keyring
  - From: Paul Wise <pabs@debian.org>
- Re: State of the debian keyring
  - From: Jonathan McDowell <noodles@earth.li>
- Re: State of the debian keyring
  - From: Henrique de Moraes Holschuh <hmh@debian.org>
- Re: State of the debian keyring
  - From: Jonathan McDowell <noodles@earth.li>

Prev by Date: Additional keyring data
Next by Date: Re: State of the debian keyring
Previous by thread: Re: State of the debian keyring
Next by thread: Re: State of the debian keyring
Index(es):
- Date
- Thread