Root key compromise solutions? #877
Comments
|
Also, what are all possible workarounds for not using the root key directly for signing the root.json file? |
|
That is basically it - you have to rotate your old key out. And no, the only keys that can provide valid signatures for the root.json file are root keys. If you want to avoid having to bring your root key offline when initializing new repositories, we trying to add a tool that lets you import a cert: #821 The point of which is that you can use the notary client to initialize a repository with a throwaway root key (so it can't ever be compromised, because it will be deleted immediately after signing the root.json), but let you import the public part of the root key that you do keep can also be used to sign the root.json. But if you need to edit the root.json, you will have to bring that key online. |
|
@cyli Yes, thats a nice one and it would be a feasible solution for people not using Notary at a large scale and also have no concepts of editing the root.json file. Also, threshold mechanism will be most easy way to make the attack tougher and tougher. Thanks anyway. |
So, I know below possibilities for surviving root key compromise
Is there anything else I am missing? I (Infact, everyone) will be concerned about this root key survival as its the root of trust. So, I do not want to miss any option available. Please let me know if there are any other options available apart from the one's mentioned.
The text was updated successfully, but these errors were encountered: