[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: Thandy attacks / suggestions
On Sun, Dec 07, 2008 at 08:14:42PM -0500, Roger Dingledine wrote:
> A2) Add another layer of indirection, so there's a timestampsigning key
> that signs the timestamp key. That timestampsigning key is listed in
> the key file, and it's kept offline. Whoever controls it still generates
> a new timestamp every month, but now all the master keys don't need to
> be bothered.
It occurs to me that an easier variation of this is to keep the
timestamp key on a very secure computer that's separate from the main
repository. Then it generates a new timestamp file periodically and
scp's it over to the main repository.
That way the timestamp key doesn't have to be stored on the same computer
that runs a big complex webserver.
In this day and age of "run a different VM for each task", that's not a
crazy notion.
--Roger