Re: Ideas how to update archive keys

To: martin f krafft <madduck@debian.org>
Cc: deity@lists.debian.org
Subject: Re: Ideas how to update archive keys
From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
Date: Sun, 20 Feb 2005 19:18:28 +0100
Message-id: <[🔎] 87r7jbf62z.fsf@informatik.uni-tuebingen.de>
In-reply-to: <[🔎] 20050220173308.GA17455@localhost.localdomain> (martin f. krafft's message of "Sun, 20 Feb 2005 18:33:09 +0100")
References: <[🔎] 87oeefh3ks.fsf@informatik.uni-tuebingen.de> <[🔎] 20050220173308.GA17455@localhost.localdomain>

martin f krafft <madduck@debian.org> writes:

> also sprach Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de> [2005.02.20.1229 +0100]:
>> The easiest way to handle the archive key would be to include it
>> inside the deb. The drawback of this method is that apt must be
>> updated whenever the key is changed for any reason. Since the key
>> is used to authenticate updates this would require apt to be
>> updated before the archive key is chnaged (which is obviously
>> a problem).
>
> I would think it's a bad idea to use the same distribution medium
> for key and protected content. Then again, I cannot think of a way
> how this could be exploited, given that we manage to get a valid key
> to the user somehow else first. Or else we cannot establish a trust
> cycle.

The first key would be on a CD the user got or the installer images
they downloaded. I guess you just have to take a chance there to get
bootstraped. And then verify the key you got with signatures you
collected at keysigning parties, if you can trust the gpg you got.

For the initial key there just isn't a save way except driving up to a
trusted person with a clean system and getting it from them (if you
can find/trust one).

...
>> Well, those are my ideas. Show me the flaws.

I found a flaw myself in the first idea (shipping the key in a
deb). The method does not scale at all to other archives. Every
archive would need to have their own apt or we have to mark key
packages in a way apt recognises them as special packages.

With a seperate file outside the debs on the other hand archives can
easily publish their own.

> None really, except we should also work on a policy for the archive
> keys. E.g. require a new key to be available on 1 Dec and expire on
> 31 Jan, 14 months later. Keys then overlap for two months, and the
> dak scripts start using the new key on 1 Jan. The new key should be
> signed by the old key, and the old key must be revoked on 31 Jan.
>
> Also, I would love to see the keys to be available on www.debian.org
> over HTTPS, ideally with a certificate issued by the SPI CA.
> I realise this is only a marginal technological security benefit; it
> surely has a psychological benefit to executives though.

That would be the political side of the problem. Count me out there.

MfG
        Goswin

Reply to:

References:
- Ideas how to update archive keys
  - From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
- Re: Ideas how to update archive keys
  - From: martin f krafft <madduck@debian.org>

Prev by Date: Re: Ideas how to update archive keys
Next by Date: Bug#296166: apt-cache show libnjb2 does not give any response on my computer
Previous by thread: Re: Ideas how to update archive keys
Next by thread: Bug#296166: apt-cache show libnjb2 does not give any response on my computer
Index(es):
- Date
- Thread