From: Joerg Jaspert Date: Tue, 17 Feb 2009 20:54:26 +0000 (+0100) Subject: Describe the key split thing we have now X-Git-Url: https://err.no/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bf3d537dfb948dc7df23ce44763ca6521aa8158c;p=dak Describe the key split thing we have now Signed-off-by: Joerg Jaspert --- diff --git a/web/keys.html b/web/keys.html index 7fd38e85..725a0e20 100644 --- a/web/keys.html +++ b/web/keys.html @@ -115,16 +115,68 @@
-

Key Revokation Procedure

+

Key Revocation Procedure

A revokation certificate for the archive key is produced at the time of the creation - of an archive key. The program ssss (a Shamir's secret sharing scheme implementation) - is then used to produce 20 shares of which 10 are needed to recover the revokation cert. + of an archive key. The program gfshare (package + libgfshare-bin) + (a Shamir's secret sharing scheme implementation) is then used to produce 12 shares of + which 7 are needed to recover the revokation cert. This procedure is for use in emergencies only (such as losing ftp-master.debian.org and all of the backups, a hopefully unlikely event) as the key can normally be used to produce its own revokation certificate.

+
+

Key Backup / Restore Procedure

+

After the creation of the archive key, the secret part of it will be backed up in one additional + way. The program gfshare (package + libgfshare-bin) + (a Shamir's secret sharing scheme implementation) is used to produce 14 shares of which 9 are needed + to recover the secret key.

+ +
+

SSSS holders

+

The following people each hold one of the shares of the revocation certificate / private key.

+

Revocation shares

+

7 of those shares are needed to reproduce the revocation certificate

+ + + + + + + + + + + + + + + +
Debian uidName
shoSamuel Hocevar
donDon Armstrong
neilmNeil McGovern
djpigFrank Lichtenheld
jimmyJimmy Kaplowitz
killerKalle Kivimaa
shortyChristian Kurz
noodlesJonathan McDowell
rraRuss Allbery
margaMargarita Manterola
thijsThijs Kinkhorst
meikeMeike Reichle
miriamMiriam Ruiz
+ +

Key shares

+

9 of those shares are needed to reproduce the secret key

+ + + + + + + + + + + + + + + + +
Debian uidName
lukLuk Claes
maxxMartin Wuertele
myonChristoph Berg
93samSteve McIntyre
bdaleBdale Garbee,KBOG,,,
sgranStephen Gran
lukasLukas Geyer
dannfDann Frazier
weaselPeter Palfrader
enricoEnrico Zini
wouterWouter Verhelst
mhyMark Hymers
bzedBernd Zeimetz
stewMike O'Connor
+

Debian FTP team