* Henrique de Moraes Holschuh: > You still need to deal with key revocation and a new key being needed, > anyway. Yearly changes will not make it more difficult, it will make sure > those codepaths are tested (and used at least once an year).
Right now, it's not codepaths, but system administrators. 8-> I can understand that in an ideal world, there would be a master key stored off-line which would be used to sign (and revoke) the release keys. In case of a compromise, the master key can be used to introduce a new release key (without intervention by the system administrator). But I doubt this is really necessary. If the release key is compromised, a DSA would have to be released anyway. This advisory would include the necessary steps to remove the compromised key from the system. Do we really need to automate this? You could even argue that the scheme without a master key is more secure because the number of trusted parties is smaller, and no one can introduce a new release key in a covert manner. It boils down to what we are trying to secure. AFAICS, the main risks are network layer attacks on the user and mirror breaches. Easy recovery from a compromised archive infrastructure shouldn't be a top priority, and it might well be impossible if the attack was successful (the "single point of ownership" problem). -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
