Re: Debian APT Key Revocation Procedure

To: debian-security@lists.debian.org
Subject: Re: Debian APT Key Revocation Procedure
From: Henrique de Moraes Holschuh <hmh@debian.org>
Date: Fri, 1 Nov 2013 15:10:06 -0200
Message-id: <[🔎] 20131101171006.GA1597@khazad-dum.debian.net>
In-reply-to: <52725325.7030906@riseup.net>
References: <52725325.7030906@riseup.net>

On Thu, 31 Oct 2013, adrelanos wrote:
> But what could you do with the revocation certificate?
> 
> Only manually spread the news and ask users to obtain the revocation
> certificate?

We would widely publish that information, that's a given.  But it is not the
only way to publish the revocation certificate and the replacement keys.

> Or will the apt on Debian user's machines somehow learn about that
> revocation certificate? If so, how does that procedure work? Where is it
> configured?

I believe we'd deploy a security update of the "debian-archive-keyring"
package, with the updated key material and revocation certificates.  There
are backup keys to allow for key rollover.

Now, this does NOT address all scenarios.  It is not a perfect solution.

For a more precise answer, please ask the debian-admin ML.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Reply to:

Follow-Ups:
- Re: Debian APT Key Revocation Procedure
  - From: Mike Mestnik <cheako@mikemestnik.net>
- Re: Debian APT Key Revocation Procedure
  - From: Stephen Gran <sgran@debian.org>

Prev by Date: Re: Debian APT Key Revocation Procedure
Next by Date: Re: Debian APT Key Revocation Procedure
Previous by thread: Re: Debian APT Key Revocation Procedure
Next by thread: Re: Debian APT Key Revocation Procedure
Index(es):
- Date
- Thread