On Wed, 2011-10-12 at 13:49 -0600, Kevin Fenzi wrote:
On Wed, 12 Oct 2011 20:19:27 +0200
Henrik Nordström <henrik(a)henriknordstrom.net> wrote:
> The password change is understandable, but why force an SSH key change
> with such short notice?
Short? 1.5 months?
How long would you like?
> And what if the SSH key is a hard token (smartcard) which can not be
> copied or trivially changed? Switching to a soft key would be mostly
> counter-productive from a security point of view. Now I were not
> currently using my hard token smartcard key for Fedora for other
> reasons but I would had been quite annoyed by this change requirement
> if I were.
If you can't change your token, then I would posit you have a problem.
What if you KNEW your private key was compromised? Surely there is a
way to generate a new one...
If your token has been compromised you throw it away. Or it will be
compromised again evidently because there is a way to extract keys (keep
in mind HW tokens like that are tamper-proof).
> But even then, the security of Fedora accounts is no stronger
than the
> security of the email associated with an account. Quite pointless to
> try to bolster the security very high when all that is needed to take
> over a standard Fedora account is to have access to the email
> (account or traffic) of the Fedora account. Sure, a full account
> takeover is more likely to get noticed than a stolen password, but it
> still sets the level of expected security.
Yeah, ideally we would do more here with gpg.
Sure so next time you also force me to change my gpg key and throw away
years of web of trust ? No thanks!
Simo.
--
Simo Sorce * Red Hat, Inc * New York