On Thu, Jan 05, 2006 at 07:38:37PM -0800, Steve Langasek wrote: > In the third case, again the compromise is either detected, or it isn't. If > it's detected, we're revoking the key again; if it's *not* detected (and it > seems to me that anyone able to compromise the pgp key without also having > to compromise ftp-master is likely good enough to go undetected), then this > is a case where scheduled key rotations help us.
There's also a secondary case where they help. Any PGP key can be cracked with sufficient outlay of computing power. Scheduled key rotations mean that this has a minimum *cost* requirement associated; it prevents mere time from being sufficient. If you work out the numbers carefully then you can effectively stop this attack for everybody who isn't rich enough to just hire away all the critical people and take control that way. Of course, the other requirement for this to work is that the new key not be generated until shortly before the old one is ready to expire. However, we don't have to do this annually; with a 2048-bit key, replacing every five years and generating the new key one year before the old one expires should be safe at present. That's a conservative estimate. To defend against ancillary attacks (like somebody grabbing a copy of the key from ftp-master) you need to know how probable they are, and reduce these figures accordingly. -- .''`. ** Debian GNU/Linux ** | Andrew Suffield : :' : http://www.debian.org/ | `. `' | `- -><- |
signature.asc
Description: Digital signature
