1 |
On Wed, Aug 22, 2018 at 9:48 AM Kristian Fiskerstrand <k_f@g.o> wrote: |
2 |
> |
3 |
> On 08/22/2018 03:37 PM, Michał Górny wrote: |
4 |
> > This is one attack vector that -- AFAIU -- hardware tokens protect |
5 |
> > against. |
6 |
> |
7 |
> Right, although it only shifts the attack, so user would just wait until |
8 |
> the token is available to perform whatever wanted anyways. In terms of |
9 |
> after the attack, the difference is we don't really use OpenPGP as a |
10 |
> long term identify such as it is in general. For a user, losing WoT etc |
11 |
> can have an impact, for Gentoo we just update LDAP and access is |
12 |
> effectively revoked without further issues, we don't need the key |
13 |
> material to survive this attack to be used after the fact again, which |
14 |
> is really what the hardware token helps for. |
15 |
> |
16 |
|
17 |
This is why I don't get all the worrying about subkeys and expiration |
18 |
and such. A key is valid if it is in LDAP, and invalid otherwise. |
19 |
Anything else is unnecessary complication at best, and a distraction. |
20 |
|
21 |
|
22 |
|
23 |
-- |
24 |
Rich |