On Mon, 31 Jan 2011, Michael Scherer wrote: > > So I propose that we use two keys : > > - We sign all packages from all repositories using only one key. This > > key is stored on the buildsystem. We can call it [email protected]. > > - We have an other key, that we call [email protected]. This key is > > not used on any online server, and is supposed to never be changed, > > and should not be compromised. Only a few people have a copy of this > > key (some people from board ?), kept on a usb key hidden somewhere, but > > not on their laptop or any computer with internet connection. This key > > is used to sign the key [email protected] (and revoke it if needed), > > and other official keys of the project, but never used for anything > > else (not for receiving encrypted messages). And the signature is > > sent on public keyservers. > > If we want to sign the key, we will have a network connection, no ?
We can sign it, and copy the signed key on an other computer to upload it. Doing something like this : - We have Computer A with internet connection. - We have Computer B without internet connection, running on a livecd with tmpfs - On computer A: we download the packages@ public key, and the public key of all board members (if needed), and save this on a USB key - On computer B: we use the USB key to import all public keys in keyring - On computer B: We generate the board@ key - On computer B: We sign the packages@ key using board@ key - On computer B: We save the signed packages@ key, and public board@ key on the USB key - On computer A: We use the USB key to upload the signed packages@ key, and board@ key on keyservers - On computer B: We encrypt the board@ private key using public key of board members or shamir secret sharing, and copy the encrypted files on USB keys to give them to board members - We destroy computer B (or alternatively we simply turn it off to remove tmpfs) > > If we decide to do this, someone from board could generate the key next > > week at fosdem after the election, save it on usb key for other board > > members, and give the fingerprint to everybody to sign the key. > > I would rather make sure that the key cannot be used by only one board > member. Not that I do not trust people for that ( they are the board > after all ), but it would be safer to have it distributed and resilient > if someone steal the key ( like a burglar, etc ). > > Maybe have it password protected should be sufficient ( except if people > forget that password, or stick it to the key ). > > Pascal proposed to use https://store.ironkey.com/personal , on the > thread > https://www.mageia.org/pipermail/mageia-sysadm/2011-January/002155.html > > Another last solution to prevent theft would to use shamir secret > sharing ( as also said in the other thread, but maybe I am too insistant > on this wonderful cryptographic invention ). This way, people would have > to steal several part of the file to get something usable. > ( for Harry Potter fan, think of horcruxes ) Oops, I should have mentioned this thread in the 1st mail (but didn't find it yesterday). > And also, I think we should routinely make sure the key is readable > ( ie, that people know where it is, and the support is still good ), so > we do not discover one day that half the key keeper lost the key while > moving, thinking someone else had it, and the other half stored it near > magnet, rendering it unreadable. Maybe we could test it every year at fosdem ?
