Re: xz backdoor

To: debian-devel@lists.debian.org
Subject: Re: xz backdoor
From: Michael Shuler <michael@pbandjelly.org>
Date: Sat, 6 Apr 2024 09:31:28 -0500
Message-id: <[🔎] 69b5ed80-b017-4ffa-8d07-827e291014fd@pbandjelly.org>
In-reply-to: <[🔎] 87le5rrfl3.fsf@daath.pimeys.fr>
References: <ZgcgCR8uDPIXVJS_@akarlsso-mac.trudheim.com> <87a5mgkcn4.fsf@hope.eyrie.org> <875xx4k9bv.fsf@hope.eyrie.org> <36567ed4-7246-4466-9122-2934d6e9f18f@debian.org> <Zgg3Gm0aGIdQCMua@bongo.bofh.it> <Zghqr7N2x6e-AOto@belkar.wrar.name> <954cd439e933052f0ddf502d68437e68646d9d79.camel@43-1.org> <20240331023321.GZ4300@mail.wookware.org> <87o7auy40j.fsf@daath.pimeys.fr> <[🔎] 87le5rrfl3.fsf@daath.pimeys.fr>

On 4/5/24 10:30, Pierre-Elliott Bécue wrote:

Pierre-Elliott Bécue <peb@debian.org> wrote on 31/03/2024 at 14:31:37+0200:

Wookey <wookey@wookware.org> wrote on 31/03/2024 at 04:34:00+0200:

On 2024-03-30 20:52 +0100, Ansgar 🙀 wrote:

Yubikeys, Nitrokeys, GNUK, OpenPGP smartcards and similar devices.
Possibly also TPM modules in computers.

These can usually be used for both OpenPGP and SSH keys.


Slightly off-topic, but a couple of recent posts have given me the
same thought:

Can someone point to good docs on this?  I've had a yubikey for 3/4 of
a year now but have not yet worked out how I put my GPG key in it. (or
if it should be another key, or a subkey, or whatever). So I'm not
actually using it yet.

PEB also described what sounded like a very sensible way to manage
keys (using subkeys) in one of these threads but I don't know how to
do that myself.


I have started (and never finished) a blog article on how I use my
YubiKey and what config I put in it. I'll definitely try to get it out
before the end of next week. I'll probably extend it to mention the
creation of GPG subkeys etc.

I would also be happy if it helps my fellow DDs to try making an article
about some basic crypto concepts regarding PGP, RSA et al. But not in
the same piece I guess.


Hello,

For those interested in: I've published two articles:

  1. One on PGP subkeys https://pe.becue.phd/openpgp-subkeys
  2. One on the OpenPGP module of YubiKeys:
     https://pe.becue.phd/yubikey-workfow-openpgp

I'm happy to receive any kind of constructive feedback.

Thank you so much for working on these. I last-minute cobbled together aBOF on GPG Key Best Practices at Columbia in 2010, since the topic cameup in another talk. I was blown away at how much I did not know, thecomplexity, as well as how many people crammed in that room - definitelythere are interested people (I think Wookey was there, too?). I includemyself in each of the things others mentioned, that I should have beendoing since then, but just never got around to.. At least I now have afist full of Yubikeys to play with, as we use them at work, so thanksfor your work. I appreciate it, and I'm guessing there's a rather large,quiet group of people thinking the same.


Kind regards,
Michael

Reply to:

Follow-Ups:
- Re: xz backdoor
  - From: Pierre-Elliott Bécue <peb@debian.org>

References:
- Re: xz backdoor
  - From: Pierre-Elliott Bécue <peb@debian.org>

Prev by Date: Re: New supply-chain security tool: backseat-signed
Next by Date: Re: New supply-chain security tool: backseat-signed
Previous by thread: Re: xz backdoor
Next by thread: Re: xz backdoor
Index(es):
- Date
- Thread