-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Tue, Nov 06, 2018 at 12:29:19PM +0100, Achim Patzner wrote: > Am Montag, den 05.11.2018, 20:29 -0600 schrieb Andrew David Wong: > > Until now, the two members of the QST have been Joanna and Marek. With > > Joanna's new role at the Golem Project, she will no longer have time to > > function as a QST member. Therefore, Joanna will officially transfer > > ownership of the Qubes Master Signing Key (QMSK) [12] to Marek, and she > > will no longer sign QSBs. > > > > However, due to the nature of PGP keys, there is no way to guarantee > > that Joanna will not retain a copy of the QMSK after transferring > > ownership to Marek. Since anyone in possession of the QMSK is a > > potential attack vector against the project, Joanna will continue to > > sign Qubes Canaries [10] in perpetuity. > > For professional curiosity (some of our customers run enormous > corporate CAs and have to plan for the loss/breach of the private key > to the root certificate) I was already looking for a document > describing the process for invalidating and recreating that root of > trust. Is there one? Although I believe the necessary steps to be quite > expensive in the case of Qubes to invoke it right now...
We don't have it documented, but we evaluated transferring master key vs generating new one, including splitting it in parts[1]. This is slightly different scenario, as the old key wasn't really compromised and also is available (so can be used to cross-sign new one). This means we could probably automate replacing it in various places where it is used by machines. Note also most things use specific keys signed by the master one, not the master key directly (release package keys, code signing keys etc). The thing that does not work this way is various places where we promote this finger print for easier verification (our conference slides, t-shirts, etc). And also the new key wouldn't have all those signatures that the current one collected. So, we've decided to keep the current one, until it would be possible to have it truly decentralized (without a need to put all the pieces in one machine to sign something). [1] https://github.com/QubesOS/qubes-issues/issues/2818 - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlviFKYACgkQ24/THMrX 1yxJ0gf+MV72oK8OkYHY7hW4ELKPl/b6pYSXWQAyD86zbfiIeJ6OwrFV0JwYRDhl CfVkdjX+yE0XUdMkwBRo2wYlmGGU73Yc+m+5WkRt2K1AVIK/aRq24jqR1JtaVIqG 52Uy0AT2T/5ZibjAMsOZDchzzB8CMGMPuMiFtXdjyqxFMTMRilzMA5vecLt0FV7o qJQmkRztPVCLWmcAe1a0/dnv9uixybjt7Hh0266zXlxb+Vu+3vxpyEir+x136zSX 9hqn0GFE4N1dLv2uMk4BYSJPdYlpyzp1wdMf7IAcNOrBDcusKxoNWY3yYbKEOi/t nU2kxvJBItcX1PLS1J7i11NfoILV2g== =tMUW -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To post to this group, send email to qubes-devel@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/20181106222439.GV1638%40mail-itl. For more options, visit https://groups.google.com/d/optout.
