From: | Curt Sampson <cjs(at)cynic(dot)net> |
---|---|
To: | Greg Copeland <greg(at)CopelandConsulting(dot)Net> |
Cc: | PostgresSQL Hackers Mailing List <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: PGP signing releases |
Date: | 2003-02-05 06:22:12 |
Message-ID: | Pine.NEB.4.51.0302051513410.353@angelic.cynic.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Wed, 4 Feb 2003, Greg Copeland wrote:
> If three people are required to sign a package prior to release,
> what happens when one of them is unavailable for signing (vacation,
> hospital, etc). This is one of the reasons why having a single project
> key which the core developers sign may appear to be easier.
I don't see that it makes that much difference. So the release is signed
only by, say, only three people instead of four. It's still signed.
> > One hopes that situations like last week's "ousting" of one of the
> > core FreeBSD developers are rare but if such a situation were to
> > arise, a shared project key would be Very Bad (tm).
>
> If a revocation key has been properly generated (as it should of been),
> this is not a problem at all.
Actually, it is still a problem. Revocations are not reliable in PGP,
and there's really no way to make them perfectly reliable in any system,
because you've got no way to force the user to check that his "cached
data" (i.e., the key he holds in his keyring) is still valid. This is why
we generally expire signing keys and certificates and stuff like that on
a regular basis.
This one element alone makes me think that individual signing is a
better thing. (With individual signing you'd have to compromise several
keys before you have to start relying on revocation certificates.)
> > > Who will actually hold the key? Where will it be physically kept?
>
> Good question but can usually be addressed.
It can be addressed, but how well? This is another big issue that I
don't see any plan for that I'm comfortable with..
> > > How many people will know the passphrase?
>
> As few as possible. Ideally only two, maybe three core developers.
Um...I'm not sure that this is a relevant question at all. The
passphrase is not part of the key; it's just used to encrypt the key for
storage. If you know the passphrase, you can make unlimited copies of
the key, and these copies can be protected with any passphrases you like,
or no passphrase, for that matter.
> One could also only allow a single person to hold the passphrase and
> divide it into parts between two or more. This is commonly done in
> financial circles.
Hm. Splitting the key into parts is a very interesting idea, but I'd
be interested to know how you might implement it without requiring
everybody to be physically present at signing.
cjs
--
Curt Sampson <cjs(at)cynic(dot)net> +81 90 7737 2974 http://www.netbsd.org
Don't you know, in this new Dark Age, we're all light. --XTC
From | Date | Subject | |
---|---|---|---|
Next Message | Hannu Krosing | 2003-02-05 09:59:16 | Re: POSIX regex performance bug in 7.3 Vs. 7.2 |
Previous Message | Tom Lane | 2003-02-05 06:12:54 | Re: POSIX regex performance bug in 7.3 Vs. 7.2 |