Re: Secure APT Key Management

[Raphael Hertzog <hertzog@debian.org>]

On Wed, 26 Jul 2006, Florian Weimer wrote:
> * Martin Schulze:
> 
> > I'd really love to see this feature properly implemented.
> 
> The only approach which is known to work is static keys for stable
> releases and stable security updates.  The keys can be stored off-line
> or on-line, at the discretion of the respective teams.
> 
> So far, we have botched all yearly key rollovers, and there is zero
> evidence that we'll get the first one that reallly matters right.
> Unfortunately, the key rollover approach is generally assumed to be
> required to achieve a decent level of security and strongly preferred
> over the alternatives.  Needless to say, I very strongly disagree with
> that position.

Why don't we put two signatures ? One from a yearly key and one from a
release key.

Of course, both keys would probably be compromised at the same time (if a
compromis arise), but at least the user has the choice to trust either a
yearly key only or the release key only (and can thus decide to not have
to handle the key rollover).

Cheers,
-- 
Raphaël Hertzog

Premier livre français sur Debian GNU/Linux :
http://www.ouaza.com/livre/admin-debian/