| 1 |
<lotsa snip *i need to goto bed*)> |
| 2 |
|
| 3 |
> Case 4: |
| 4 |
> The list signing key is compromised: |
| 5 |
> A security announcement needs to be made. The proposal as made by robbat2 |
| 6 |
> would require that users acquire in some trusted way a new list signing |
| 7 |
> public key. |
| 8 |
|
| 9 |
pull from site source (gentoo.org) or leverage exisiting fre pubkey servers or better yet.. pull from gentoo and verify with 2 or so existing free/open keyservers. |
| 10 |
|
| 11 |
> In my idea with a master and a list signing key (or multiple ones for |
| 12 |
> different machines), the master key would be able to prove that the new |
| 13 |
> list signing key is valid. As the list signing key is shortlived it |
| 14 |
> would also be less advantageous to compromise the list. |
| 15 |
|
| 16 |
assuming the master key is trusted. and not in itself compromised |
| 17 |
|
| 18 |
> |
| 19 |
> (we could have devrel people monitor the changes to the contents of the |
| 20 |
> list so a compromise to the list signing key is easilly detected) |
| 21 |
> |
| 22 |
> Case 5: |
| 23 |
> The master key (in my proposal) is compromised: |
| 24 |
> This would suck big time. However as this master key is infrequently |
| 25 |
> (especially with an intermediate key) used it can be secured by storing |
| 26 |
> it on a usb key (and available to only a few people) which is only used |
| 27 |
> when signing keys need to be signed. |
| 28 |
|
| 29 |
this is the biggest weaknes with PKI in the traditional sense. Everything comes down to 1 key or 1 set of keys. All trust is centralized. Relying on a few ppl to be "secure" with the keys isnot good imho.. People are inherantly lazy and thinking htat 99% of the time these keys wont be someplace they shouldn't be is using Faith as security, and personally i dont jib with that for a security model |
| 30 |
:) |
| 31 |
|
| 32 |
its all about mitigating risks. |
| 33 |
|
| 34 |
<snip> |
| 35 |
|
| 36 |
-- |
| 37 |
gentoo-dev@g.o mailing list |
Archives