|
|
|
|
|
|
by huahe
2641 days ago
|
|
|
> If users trust the key because they trust updates coming from Daniel and if Daniel is about to lose control of the key to someone else, then destroying the key before it becomes compromised is the responsible and right thing to do. how can you possibly state that when the users have no control or say over this decision? |
|
|
> If users trust the key because they trust updates coming from Daniel ..., then
That's a big-ish "if"; I didn't weigh in on whether I think it's true. A reasonable person could go either-way on that. If it is true, then Daniel was justified, if it's not, then he wasn't.
> ... when the users have no control or say over this decision?
If we assume that people trusted Copperhead-the-organization because they trusted Daniel and that Daniel's removal is a change-of-hands, then the decisions is:
- Do nothing (and stop receiving updates)
- Start trusting the new engineering leadership of Copperhead-the-organization
From that perspective, it makes sense that Daniel should destroy the key: Making the active decision to start trusting the new Copperhead requires the active technical step of installing the new key; making the inactive decision doesn't require action.
If on the other hand we assume that Daniel was an implementation detail and that people trust Copperhead-the-organization as an institution, then the decision is:
- Stop trusting Copperhead-the-organization (and stop receiving updates)
- Do nothing
From that perspective, it makes sense that Daniel should not destroy the key: Making the active decision of ceasing trust requires the active technical step of disabling updates.