Re: Debian APT Key Revocation Procedure
On Fri, Nov 1, 2013 at 5:21 AM, Jordon Bedwell wrote: > That's almost jokingly ironic. That's to be expected, the list is mostly noise and in no way required for them to be able to do their job. -- bye, pabs http://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAKTje6FMEgt2S61ML2Jj2pooipoRFP13W+iFK4V5iht=1_s...@mail.gmail.com
Re: Debian APT Key Revocation Procedure
On Thu, Oct 31, 2013 at 10:28 AM, Paul Wise wrote: > On Thu, Oct 31, 2013 at 8:55 PM, adrelanos wrote: > >> What are your plans if you ever have reason to believe that the Debian >> archive signing key has been compromised? > > It is unlikely that the people responsible for that are reading this > list. I suggest you contact them (DSA, ftpteam) directly. That's almost jokingly ironic. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAM5XQnximXvUazKz6=ccerdremzvedmp5s+xhcgmkotwqtr...@mail.gmail.com
Re: SSL for debian.org/security?
On 10/30/2013 10:49 AM, Norbert Kiszka wrote: > Dnia 2013-10-30, śro o godzinie 11:34 -0200, Djones Boni pisze: >> On 30-10-2013 11:05, Celejar wrote: >>> You're snipping crucial context; my comment above was in response to >>> this: For apt-get a self-signed certificate could be used which comes together with Debian. No CA required. This is both simpler and safer. >>> I was pointing out that this comment makes no sense in the context of >>> apt-get. It sounds like you're referring to the website or email system. >> I am talking about updates. >> >> Yes. Apt uses OpenPGP to verify the integrity and authenticity of the >> packages it downloads. >> But how does apt get these packages? Over insecure HTTP. >> >> Hacking DNS or MITM attack can hide updates from you or a country. Then >> you are vulnerable due out-of-date software and you don't even know >> about it. >> >> > > >> and you don't even know >> about it. > > Thats why I am on the debian-security@lists.debian.org A governmental firewall could just as easily block an email as it could block/filter information about security updates. In order to understand why tor and TLS would be useful here, it good to break down the various concerns (or threats if you prefer): 1. package authenticity (provided by the GPG signatures) 2. package availability (can currently be manipulated by MITM) 3. repo availability (can be blocked by firewalls) 4. who's downloading what package (currently visible to anyone who can see the network traffic) Most people are used to thinking about #1 when thinking about the security of Debian repos. But 2-4 are also import, and currently not well addressed. This is where TLS and Tor come in. Both can help prevent MITM manipulations as well as reduce the amount of information that is leaked to the network. Tor can also help with #3 since Tor is difficult to block (though China and Iran are effectively blocking tor traffic these days). I think having official Debian repos available with both TLS and Tor available as options is a very good idea. I'm happy to help where I can, but I'm not on the sysadmin team (though I was a sysadmin in a former life). Also, there are a number of official mirrors that already support TLS. I haven't looked to see if there are any repos available from a Tor Hidden Service. .hc signature.asc Description: OpenPGP digital signature
Re: Debian APT Key Revocation Procedure
On Thu, Oct 31, 2013 at 8:55 PM, adrelanos wrote: > What are your plans if you ever have reason to believe that the Debian > archive signing key has been compromised? It is unlikely that the people responsible for that are reading this list. I suggest you contact them (DSA, ftpteam) directly. -- bye, pabs http://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/caktje6hyohzalxkaqotfjp98enqy0zj47hty19-hkdhevzi...@mail.gmail.com
Debian APT Key Revocation Procedure
What are your plans if you ever have reason to believe that the Debian archive signing key has been compromised? http://ftp-master.debian.org/keys.html says: > Key Revocation Procedure > A revokation certificate for the archive key is produced at the time of the creation of an archive key. The program gfshare (package libgfshare-bin) (a Shamir's secret sharing scheme implementation) is then used to produce 12 shares of which 7 are needed to recover the revokation cert. This procedure is for use in emergencies only (such as losing ftp-master.debian.org and all of the backups, a hopefully unlikely event) as the key can normally be used to produce its own revokation certificate. But what could you do with the revocation certificate? Only manually spread the news and ask users to obtain the revocation certificate? Or will the apt on Debian user's machines somehow learn about that revocation certificate? If so, how does that procedure work? Where is it configured? -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52725325.7030...@riseup.net