[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Secure APT Key Management

also sprach Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de> [2006.07.26.1601 +0100]:
> If you can get ftp-master to put the key in that place then I'm
> willing to patch apt to use it for key updates with enough checking
> and interactivity to make it save.

I am much in disfavour of any method that automatically makes APT
trust keys downloaded over the network. If the key came from media
we distribute, this is fine, but there's just too much danger of
MITM or DNS-poisoning attacks for automatic upgrades, unless we
finally start using SSL.

The way I envision key management is that every Debian machine
trusts the SPI CA. Then we provide a page to download and verify
keys, protected by SSL/TLS. Finally, we give the user easy-to-use
tools to install these keys, and proper error messages from APT that
will make it obvious what to do.

I don't think it's asking too much of our users to manually declare
trust for a new release. But we should definitely get rid of the
one-year-long archive keys, which make no sense. Instead, have a key
for etch, one for sid, one for etch+1, one for security, and so on.
The user can then pick which ones s/he wants to trust.

Please do not send copies of list mail to me; I read the list!
 .''`.     martin f. krafft <madduck@debian.org>
: :'  :    proud Debian developer and author: http://debiansystem.info
`. `'`
  `-  Debian - when you have better things to do than fixing a system
no micro$oft components were used
in the creation or posting of this email.
therefore, it is 100% virus free
and does not use html by default (yuck!).

Attachment: signature.asc
Description: Digital signature (GPG/PGP)

Reply to: