Secrecy and user trust

[Bill Davidsen]

Jeff Spaleta wrote:

> If you want to be security paranoid concerning the validity of the new
> key when it becomes available.. go right ahead.. be paranoid about it.
>  But if you need 3rd parties to sign off on the key before you use it,
> then you should already have been talking to 3rd parties about doing
> it for the last Fedora key. Talk to the 3rd parties.. get them to
> agree to sign the new key and put the detached signatures somewhere
> public.
> 
This is a (hopefully) one-time problem, and therefore it probably 
doesn't need a perfect, automated, runs-by-itelf solution. And my 
assumption has been that some people at other repositories do personally 
know and interact with official people in the Fedora project, and that 
there is an out-of-band way to pass information to the people at some 
other repository. Given the nature of the problem, that could mean 
carrying a CD a hundred miles to meet with someone who is personally 
known to you from a presentation, etc, etc. It need not be pretty, let's 
assume that this is a one-time problem.

The the other repository creates an RPM, containing not the key, but the 
RPM created by Fedora, signed appropriately, which in turn contains the 
new key, and distributes an RPM which installs an RPM, which rpm (the 
program) now knows how to handle. So instead of signing a key, they 
create and sign an RPM which itself contains an RPM, which can be 
manually installed by the cautious.

Does that satisfy the technical issues you raised? It's what I had in 
mind initially, when I proposed a secure means of distributing the 
information. I know it's ugly, but it's a one night stand.

-- 
Bill Davidsen <davidsen at tmr.com>
   "We have more to fear from the bungling of the incompetent than from
the machinations of the wicked."  - from Slashdot