Hi all,

Santiago Garcia Mantinan wrote on 16.01.2004 [Re: Release.gpg files gone?]:
> This was due to the key that was being used for signing being expired, it
> has now been replaced with a new key the one for 2004, so the newly signed
> Release files are ok now, this means Sarge and Sid.

curiously, http://ftp-master.debian.org/ziyi_key_2004.asc contains key
0x1DB114E0 whereas the key-servers seem to contain key 0x63EFD949 (see
http://wwwkeys.de.pgp.net:11371/pks/lookup?op=index&search=ftpmaster%40debian.org).
I suppose, Debian knows best, and the "new" Releases files seem to verify
against key 0x1DB114E0. However, this cannot be meant to be the start of the
chain of trust: "get the archive signing key from someone who claims to know
it and hope it survives transmission over the internet unchanged".
Supposing, you even know about the new key. http://www.debian.org/releases/
still advertises ziyi_key_2003 (not even V2), which is supposed to expire
next Saturday (01/24/2004). I've probably missed an announcement somewhere,
but not here on debian-security or debian-security-announce in any case -
unless the subject was misleading :).

So: which key is the correct one? Wouldn't it make sense to have some people
we all trust sign it?

> However the Release files that have not yet been signed again are either not
> verifiable at all (Release.gpg 0 bytes long), like in the case of woody's
> security.debian.org updates,

If you use apt-secure, this will make 'apt-get update' fail to download the
Packages files (correctly, because the authenticity of the contents cannot
be verified), meaning you (well, I :-|) could not download packages from
woody.

> or are not trustable acording to apt-check-sigs
> because the key has expired (like woody's release 2 if you don't trust the
> old 2003 key),

apt-secure doesn't seem to be concerned about that, but it should ;-), and
this brings up another issue:
If ziyi_key_2003 (0x38C6029A) was replaced by ziyi_key_2003v2 (0x30B34DD5)
after the server compromise, this indicates some concern that the private key
may have been exposed. Would it then not be MANDATORY to re-sign all Release
files with 2003v2 (or 2004 now)? After all, a signature with v1 provides NO
security - either that or the replacement of the key was unnecessary. I
understand that the archives were not compromised, but still, anyone in
posession of the 2003v1 private key could set up a Debian "mirror" containing
arbitrary version of arbitrary packages which would still appear authentic.
IMHO, no /etc/apt/vendors.list should any longer contain a reference to key
0x38C6029A (2003v1) - only you currently need this key to download packages
from woody.
Are the 2002 and 2001 keys also potentially compromised?

I'm surprised that nobody seems to have complained about this before.
Am I mistaken?

> Exactly the same problem happens with non-us, of course one can use the old
> 2003 key to verify this, but if it was replaced with the 2003 v2 it was
> because of something, even though nothing was said about it,

Ok, someone HAS complained ;-).

> and this would
> not solve the problem with security.debian.org [...]

... which now again contains a Release.gpg signed with the 2004 key.


So, the current situation seems to be that the authenticity of Debian
archives can be verified only against a potentially compromised key or,
respectively, a key whose identity has not been well-published. Hmm ...


Regards,

Holger

Attachment: pgp3ZPbqggDmz.pgp
Description: PGP signature

Reply via email to