[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Key revocation



Colin Percival wrote:
> Gleb Arshinov wrote:
>> Anyway, I think key revocation would be very handy for our use. [...]
> 
> Good points.  I've added this to my Tarsnap to-do list.  You won't be able
> to change the encryption keys, of course, but changing the access keys
> will be better than nothing and possibly enough for most people.

Just to clarify, what I mean here (and what I think Gleb means) is *changing*
the keys which are used to access a machine's data.  That is, key rotation,
not key revocation.

Deleting a machine and all of its data if you've lost its keys (so that you
don't end up paying to store the data forever) is a completely different matter
-- I haven't written the code to allow people to do that yet either, but I can
nuke machines' data if people find themselves in that position.

-- 
Colin Percival
Security Officer, FreeBSD | freebsd.org | The power to serve
Founder / author, Tarsnap | tarsnap.com | Online backups for the truly paranoid