Joey Schulze un jour écrivit:
Simon Valiquette wrote:In the Securing Debian Manual, the key id to use to send an encrypted email to the security team is 363CCD95, but on the following link, it is F2E861A3 that is listed instead. http://www.debian.org/security/faq.en.html#contactMaybe the Securing Debian Manual is not up-to-date with regards to the security contact key?
I know, but since both keys were still valids, there was nothing either to indicate that it was the FAQ page which was wrong.
1. Do both keys are still valid?You should use 0x/F2E861A3.
Thank you, I will fix the Securing Debian Manual about it.
2. If the key F2E861A3 is legitimate (which I think it is because I have a trust path to it), wouldn't it makes sense to sign it with the old key as well? Or alternatively by 3 members of the security team instead of just one?"old key" would refer to 0x3682B5DF which expired on February 1st 2007 and is the predecessor to the current key.
It would be kind of late to sign the current key with it only now, but it can make sense to sign the next key with F2E861A3 before it expire. Unless it is revoked, it would show quite clearly the intent and makes faking a new key much more difficult.
Alternatively, announcing the new key once a year on debian-security in a signed email would do it, as we would be able to easily google for the key and check if it is legitimate. People writing documentation would also notice the change a lot more quickly.
The idea is that it is actually too easy for a single person to fake a new key ID, and too difficult to checks its legitimacy as the only public reference to it was the security FAQ page.
Another solution is to have 3 people from the security team signing the key, as that would increase enough the trustfulness of the key.
Simon Valiquette