[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Expired GPG keys of older release

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, Jun 22, 2018 at 11:48:00PM -0500, David Wright wrote:
> On Fri 22 Jun 2018 at 21:12:51 (+0200), tomas@tuxteam.de wrote:

[...]

> Well, I attempted to supply that in
> https://lists.debian.org/debian-user/2018/06/msg00528.html
> but I have no idea whether that would be achievable in docker
> or not because the suggestion has had no follow-up.

I'm not the docker guy, and there are lots of "interesting" things
around, so I won't be the one. But I'm curious too...

> BTW Reading your "Keys *have* to expire at some point, and you can't
> re-sign archived packages with a fresh key", it's not clear why the
> expired key can't be unexpired, ie given an expiration date in the
> future, if it's known to be still good.

Yes, you're right: a GPG key's validity can be extended with a new
certificate (whether it's responsible to do is another thing, since
available computing power grows, *and* there has been more time to
hack at this key, its crypto, and for things to leak). So practically
speaking still keys have to expire at some point.

The only way out would be for an archive declared immutable to set
up an attestation service which signs (state-of-the-art) package
hashes with (state-of-the-art) signing procedures and refreshes
things periodically. Debian hasn't decided to set that up, a thing
I can understand.

Cheers
- -- tomás
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlst76cACgkQBcgs9XrR2kYeLgCaAibgQsc+ZemhfmKjZIalrKWF
pZsAn0Y3ktHGU9QJaKveKZSEUfr0ZIQb
=5MG1
-----END PGP SIGNATURE-----
Reply to: