Re: SSL for debian.org/security?

To: Hans-Christoph Steiner <hans@at.or.at>
Cc: Pedro Worcel <pedro@worcel.com>, Andreas Kuckartz <a.kuckartz@ping.de>, debian-security@lists.debian.org
Subject: Re: SSL for debian.org/security?
From: Henrik Ahlgren <pablo@seestieto.com>
Date: Tue, 12 Nov 2013 20:58:59 +0200
Message-id: <[🔎] 20131112185858.GK27559@seestieto.com>
In-reply-to: <[🔎] 5282704A.60107@at.or.at>
References: <CAAy1gkeUt_jr0uDt0B=HdnAZnmmHDqygrwgYg4dU7X9zjVUrSA@mail.gmail.com> <526F7FDF.7030601@tightwax.com> <CAM5XQnxCxogD4JMaqyS27zzsorFZ-G8Dsa_71sABGFQHChmrag@mail.gmail.com> <526F855D.1080507@gmail.com> <[🔎] CAF8px56hAkiE8_GiV=jr0AWiNdfhUF-x7-7oeCwe5VGGT1M_cA@mail.gmail.com> <[🔎] CAKS89GrBGt0Uyq0bSn6GnO-QQ5xz8f3kVDGGvc8QDUJbWOdvvg@mail.gmail.com> <[🔎] 52818C3A.6050000@at.or.at> <[🔎] 5281C93A.8040503@ping.de> <[🔎] CAPS+U984skUez8i1uP0v6ubKMnk4K4Ny8f4d2mwm+5gRRD-Gfw@mail.gmail.com> <[🔎] 5282704A.60107@at.or.at>

On Tue, Nov 12, 2013 at 01:15:38PM -0500, Hans-Christoph Steiner wrote:
> Having the key generated on the card is the most secure, since those cards are
> designed so you can't read the secret key off of the card.  So the cost of
> putting a new certificate on the card is only someone's time for generating
> and uploading and new key to it.

But there is the significant downside that it is not possible to
backup the key, so if the card gets destroyed in a fire or just fails
and stops working, the key needs to be revoked, since only one
physical copy of the private key exists. (Which also means that only
one machine can sign with the key.)

So for widely used keys it might be better to create the keypair in a
trusted (airgapped from any network and diskless) machine running
something like Debian Live or Tails, and in addition to uploading it
to the smart card, make few backup copies to offline media (e.g. USB
sticks) to be stored in a safe location.

Reply to:

Follow-Ups:
- Re: SSL for debian.org/security?
  - From: Hans-Christoph Steiner <hans@at.or.at>
- Re: SSL for debian.org/security?
  - From: Jérémie Marguerie <jeremie@marguerie.org>

References:
- Re: SSL for debian.org/security?
  - From: Mike Mestnik <cheako@mikemestnik.net>
- Re: SSL for debian.org/security?
  - From: Jérémie Marguerie <jeremie@marguerie.org>
- Re: SSL for debian.org/security?
  - From: Hans-Christoph Steiner <hans@at.or.at>
- Re: SSL for debian.org/security?
  - From: "Andreas Kuckartz" <a.kuckartz@ping.de>
- Re: SSL for debian.org/security?
  - From: Pedro Worcel <pedro@worcel.com>
- Re: SSL for debian.org/security?
  - From: Hans-Christoph Steiner <hans@at.or.at>

Prev by Date: Re: SSL for debian.org/security?
Next by Date: Re: SSL for debian.org/security?
Previous by thread: Re: SSL for debian.org/security?
Next by thread: Re: SSL for debian.org/security?
Index(es):
- Date
- Thread