Subject: IMPORTANT: Mandatory password and ssh key change by 2011-11-30

[Paul Wouters]

On Wed, 12 Oct 2011, Adam Williamson wrote:

> Reading between the lines of recent attacks, it seems likely that
> private keys compromised in some of the attacks were used to perform
> others. (No-one's come out and officially said this yet but it seems
> pretty obvious from the subtext of some of the reports; I'm thinking
> kernel.org / linux.com, for e.g.) It doesn't seem at all unlikely that
> some people may have used the same identities on some of the other
> compromised systems as they are using on FAS, and hence it seems pretty
> reasonable to require this change.

Because you really think people will not use their old key to access all
other resources anymore, including perhaps their own laptop, so the new
key will be obtainable using the old key, which you assume could be compromised.

It basically adds no security. Users who did passphrase protect their key should
be fine and just need to go through a useless change loop, while insecure
users are just going to add a new key that's instantly compromised because
their old compromised key isn't removed because they need/use it elsewhere too.

So yeah, this qualifies as security theatre.

Also, if we are doing this, did pkgs.fedoraproject.org get a new ssh host key?

Paul