Re: Secure APT Key Management
On Wed, 26 Jul 2006, Florian Weimer wrote:
> * Martin Schulze:
>
> > I'd really love to see this feature properly implemented.
>
> The only approach which is known to work is static keys for stable
> releases and stable security updates. The keys can be stored off-line
> or on-line, at the discretion of the respective teams.
>
> So far, we have botched all yearly key rollovers, and there is zero
> evidence that we'll get the first one that reallly matters right.
> Unfortunately, the key rollover approach is generally assumed to be
> required to achieve a decent level of security and strongly preferred
> over the alternatives. Needless to say, I very strongly disagree with
> that position.
Why don't we put two signatures ? One from a yearly key and one from a
release key.
Of course, both keys would probably be compromised at the same time (if a
compromis arise), but at least the user has the choice to trust either a
yearly key only or the release key only (and can thus decide to not have
to handle the key rollover).
Cheers,
--
Raphaël Hertzog
Premier livre français sur Debian GNU/Linux :
http://www.ouaza.com/livre/admin-debian/
Reply to: