-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Robert J. Hansen: >> I am planing to write a script, which will refresh the apt >> signing key before updating using "apt-get update". > > The question I have is, "What problem are you trying to solve?"
What in case the apt signing key gets compromised. What is the mechanism of invalidating the client's keys so they can't fetch malicious files from any mirrors. > I am certain that Debian Security already has a protocol in place > for how to handle compromised certificates. Certainty is what sometimes makes the world an unsafe place. I would have supposed that this is the case as well, but after verifying such suppositions I was often quite surprised. > Is this protocol flawed or lacking? It is non-existent. See my original question [1] and also in my current discussion [2] someone would have stepped in and said "we already have this". Since this didn't happen and since I also looked through apt's sources, I am certain this thing doesn't exist. Can't prove it though, Russell's teapot you know. ;) > What problem does it not address which this idea will solve? When there is reason to believe, the apt signing key has been compromised, the revocation certificate can be spread through a channel other than apt updates (which are compromised). > The next question is, "Why is it important the certificate be > retrieved from the keyserver network?" It's not important. I didn't mean to say that. It's just simpler to code (for me, in the draft in my head). And if they don't mind, I'll go the easy way, if they mind, I'll come up with another solution. > When talking about the global apt repositories, it's likely they > have access to multiple of orders of magnitude more bandwidth than > the keyserver network. Yes. > Why not host the signing key on the apt repo server? They could of course re-use their existing mirror network for this. >> Could keyservers cope up with the load? > > Good question. Probably, but some keyserver operators might view > it as rude. Best to ask on sks-de...@nongnu.org. Will do. [1] http://lists.debian.org/debian-security/2013/10/msg00065.html [2] http://lists.debian.org/debian-security/2013/12/msg00031.html -----BEGIN PGP SIGNATURE----- iQJ8BAEBCgBmBQJSsmssXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ5QjE1NzE1MzkyNUMzMDNBNDIyNTNBRkI5 QzEzMUFEMzcxM0FBRUVGAAoJEJwTGtNxOq7v26MP/R1TMYHHE6l0Ayhs6qZS3iGf fKDKM8qVfJUo/YBxAaYXVtfD6Ovs4jgKR7KXvy/xzsq4XdoDWMEgsZG3MLP+JiyS j3g7BEVns+55A/vPDysMUstrwQPhSBklnA+my3QG4UnDdKUjx8/m3jxWbMphe+sj fdMtOAquRCj72dIgtiYSYCfOnb9UN7EaEWrIyK57c9J5ygD6HTOjU4VoNKwLfHnf W8IAeTv4N1PDZIZ/dPteDkBYuCdgJgB+QAYh7yJ5AuCV1dhiTkip92PkE3+tCVHs /mufO9Ffy3mAtsD7U0H6Mq2rCqa8v3tHpraMROHdyuyAK1VJqbfveOkeKHjL2ocZ 2uJbAF/m/JmQFLPH/+V8siItg2qhYS2I6qhxE5RvS1FmbwPf/yvulSQQmaNJNPLE pxR7LbOAS9zUfJsy44r+t4n6N64qDmEBk6g+tRLMpn0MC8zfdSvZBxxWP9JVkWc1 C8JHeluKH8jrQbbLSBeG9Ie8WUMSmJpqfQLI6jK6sW2zXRA11VSSFNyPB48vsuZB 9kUtJ7ido0/npI/225JN/oQJ3RaTKj62OyDQSW8X4C4gMWFj8EZAvoSj/nKiKUtB RH1IJ8GBCsK1QR5Biia/KchYlAW+HKpJpOrn6C8Wm+ubBooYuK7csud5exWZLS+Q VAq22Rq6RdgitL1O/4OJ =O6my -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
