-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 2019-10-16 12:48 AM, max via qubes-users wrote: > tirsdag den 15. oktober 2019 kl. 03.21.03 UTC+2 skrev Andrew David Wong: >> >> Dear Qubes Community, >> >> We have published Qubes Canary #21. The text of this canary is >> reproduced below. This canary and its accompanying signatures will >> always be available in the Qubes Security Pack (qubes-secpack). >> >> View Qubes Canary #21 in the qubes-secpack: >> >> < >> https://github.com/QubesOS/qubes-secpack/blob/master/canaries/canary-021-2019.txt> >> >> >> >> Learn about the qubes-secpack, including how to obtain, verify, and read >> it: >> >> <https://www.qubes-os.org/security/pack/> >> > > > Hi Andrew, > > I can see that Joanna's key's are still to be > trusted(https://www.qubes-os.org/security/pack/#how-to-obtain-verify-and-read), > > even though she is no longer an active member of the team > (https://www.qubes-os.org/team/) >
As we wrote in our Security Team Update last November [1], Joanna continues to sign Qubes Canaries: "However, due to the nature of PGP keys, there is no way to guarantee that Joanna will not retain a copy of the QMSK after transferring ownership to Marek. Since anyone in possession of the QMSK is a potential attack vector against the project, Joanna will continue to sign Qubes Canaries in perpetuity." Therefore, a trusted signing key belonging to Joanna must remain in the Qubes Security Pack (secpack) [2] for this purpose. > Is there a need for off-boarding former members, on-boarding newer ones(and > their keys), or are there practical issues, regarding that, making it > problematic? > We do these things in a secure, transparent manner when necessary and appropriate. For example, the Security Team Update [1] added Simon to the Qubes Security Team, and you can see that his Security Team signing key was added to the secpack shortly thereafter. [3] You can also see that he has signed all Canaries and QSBs since then. [4] > Sincerely > Max > Thanks for your question! [1] https://www.qubes-os.org/news/2018/11/05/qubes-security-team-update/ [2] https://www.qubes-os.org/security/pack/ [3] https://github.com/QubesOS/qubes-secpack/commit/8e4125871ce0fc7db37ceeb5e89951cec5ff1ae9 [4] https://github.com/QubesOS/qubes-secpack/commits/master - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl2n3ikACgkQ203TvDlQ MDBqFRAAiJ9BVd6lOaTb23Fv92n24QWebTXcQkuu4tLzeEaiVL0+O+oDnGshyZ2C q4annNm/ETXCPtcQ6NNznsvg4rkC5uAAlFWauxvgMhCzplytiVMlucSxMZz03R+B jUtPtPacWMLTDUfT3ag/JJvYt1Hwq5dSPx/X1EfX3sugQOxNH0NDfAj2ZIEqWkJX A1EddXP6QIP0ACOiDUMIi4hG9uCHJt6e71WBxkoo4eQJLT9vYPmaqjtST0zSqdRr SMk8FY69a15upGBX8V7OrfSrO8zVX43M+fR6FYeFGl8587w/E1ickAC5LXsmtTAT 4tSeEnpD8yhlYA64CH3dCqUjGMuX8ghCfCDNIzQPBc5vWzc1IyiWLYQ429A/L0hY uHKJ1GNE28Sla1EJ9+w+SoOfxgE68vIhA+wX20wPomXeVognpoLeYEFbnxmGJjg+ BlECBCoXM9YD9L/06pj0hZGJ53dJPvfoSs1I1l0NY3+Bde+u5O+As4CCmJBLqt+E dDl9lgjoVVRPyS/qje4PYMkzvBxB5Vn7GdFR4o1fXSam5J5yyrQhkcwkcDPNib+i uACA73wXwgI2lnCXTttexRTeoEW3pocnA4BRaxO4xDI7ZSAujTo70Yn4wNBjDa4R XU+Pm9KJ4DOJNolVfVPa6pXGdSIOjzuKdlj0VytZZukddv5a9Wc= =04St -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/41b6dfa7-d12f-e08a-d394-761b49a9be60%40qubes-os.org.
