Hi Daniel, Quick backstory: I stayed away from hardware crypto for a long while since there were so many incompatibilities, partial support, or side patches to get basic things to work. Over time, it seems it got to a point where it's mainstream enough that you can buy a Yubikey without much of a second thought, and get GPG to work out of the box on it…
Daniel Kahn Gillmor <d...@fifthhorseman.net> (2023-12-20): > OpenPGP implementations have generally learned from those failures, and > many of them are now much more resilient and can support the kinds of > upgrade path that we need to consider. For most of our > signing/verifying-focused work, that means: > > - verifying tools should ignore signatures and certificates that they > don't understand, while still validating signatures from certificates > that they do understand > > - signing tools can make pairs of signatures, one "compatibility" > signature and one "modern" signature > > This means that for a debian signing/verification context, like package > distribution, which has a global workflow, starting from an existing > OpenPGP implementation, signing key and corresponding verification > certificate, it looks like: > > 0) upgrade the signing tool, and start upgrading some of the > verification tooling. > > 1) create a new signing certificate with the new version, algorithm, or > feature. > > 2) distribute the old+new certificates for the verifiers. > > 3) make signatures with old+new in parallel > > 4) complete upgrade of all verification tooling > > 5) stop making signatures with old signing certificates … what does this mean for anything that involves hardware-backed crypto? I'm thinking Yubikeys and the like, but also HSMs that might be on the critical path to sign things like GRUB, linux (at least for now), etc. Even if we end up with a brand new gnupg release on the relevant signing host(s), I fear hardware devices might not feature all the bits that are needed for those new features? Cheers, -- Cyril Brulebois (k...@debian.org) <https://debamax.com/> D-I release manager -- Release team member -- Freelance Consultant
signature.asc
Description: PGP signature
