nick at teh.entar.net
Sun Sep 8 11:01:34 PDT 2013
> I'm only aware of how Debian does things, and not in any detail. What
> I would do is to separate the signing secrets across multiple key
> people, and do a recorded/witnessed ceremony following a CA-like
> model, signing on an air-gapped machine which is securely wiped
> afterwards and transferring packages via sneakernet (making sure
> there's nothing autoexecuted on plugin) to the machine where it is
> being published. Yes, this is a huge pain.
This is what Ubuntu does, and I was under the impression that they
learned it from their Debian experiences with the same process.
Also I'm not entirely sure what you meant by "a CA-like model" but if
you're only talking about identity verification, you're missing a few
things. Most important is keeping the real secrets in a master key that
can authorise or revoke functional signing keys as needed. There are
other steps that the security experts all worked out when they first
realised that crypto wasn't magic and needed human processes to keep it
relevant. It's all In The Literature.
> So have a secure process in place, monitor the process by external
> parties so that we can be sure that it is actually being done the way
> it is said to be done. Trust, but verify.
I'm not sure how you audit something that's meant to happen in a sealed
bunker with a select few trusted shardholders.
"Man, if everything were object-oriented then rsync
could do this already. Of course, if everything were
object-oriented I'd have a bushy moustache and be
wearing flares, which would suck." -- Sean Neakums
More information about the linux-elitists