1 |
On Thu, Apr 25, 2019 at 7:57 AM Marek Szuba <marecki@g.o> wrote: |
2 |
> |
3 |
> On 2019-04-24 20:34, Rich Freeman wrote: |
4 |
> |
5 |
> > The only reason to have a separate primary key is to have an offline |
6 |
> > copy, |
7 |
> |
8 |
> Not quite. First and foremost, you don not want to have an offline copy |
9 |
> of the primary private key - you want to have the primary ENTIRELY |
10 |
> offline. |
11 |
|
12 |
Agree, I could have said that better. Though, to be clear the primary |
13 |
key needs to be on a PC anytime you use it, which includes time of |
14 |
generation and renewal. Typically this PC will be online. |
15 |
|
16 |
> > So, maintaining this requirement with a Nitrokey means that we in |
17 |
> > reality have the primary key online most of the time, |
18 |
> |
19 |
> Seeing as separating the primary and the signing key has been part of |
20 |
> OpenPGP best practices for a long, long time, I have got highly mixed |
21 |
> feelings about this statement. On the one hand, it is not reasonable to |
22 |
> expect someone with no or minimal prior knowledge of OpenPGP to master |
23 |
> it overnight. On the other, we are not just some random people from Teh |
24 |
> Intarwebz and we *have* been using OpenPGP signatures on commits for |
25 |
> quite a while now. |
26 |
|
27 |
IMO this has nothing to do with knowledge, and everything with risk |
28 |
tolerance and incentives. |
29 |
|
30 |
Generating a key on a smartcard is practically a one-liner and is |
31 |
convenient. It is also VERY secure. |
32 |
|
33 |
Now, if you're going to have a completely offline PC that never gets |
34 |
connected to the internet, and use that for key generation, and treat |
35 |
any media used to transfer keys as if you're working on a classified |
36 |
software project, then sure, that would be more secure. It is also a |
37 |
LOT less convenient. I'd argue that most devs who understand how to |
38 |
use GPG fairly well would not bother with this. I've never kept a |
39 |
primary key offline and I was using PGP back when you had to be |
40 |
located in the US to download it from the original official source. |
41 |
|
42 |
> |
43 |
> > when if it were the same as the signing key then both would be |
44 |
> > offline in the Nitrokey. |
45 |
> |
46 |
> Using a hardware security device is not the same as making the key |
47 |
> offline - especially given that the Gentoo NitroKey workflow as |
48 |
> currently posted on the Wiki suggests disabling forcesig, which could |
49 |
> effectively leave the signing private key unlocked for extended periods |
50 |
> of time. |
51 |
|
52 |
I'm all for revising this, but it isn't part of the GLEP. Maybe it should be. |
53 |
|
54 |
A smartcard is a practical compromise. It gives a great deal more |
55 |
security than online keys, while being convenient. Sure, it might not |
56 |
be the most secure approach possible, but it is far more secure than |
57 |
approaches most are likely to actually use, even if they know better |
58 |
options exist. |
59 |
|
60 |
> |
61 |
> > Also, by generating the key outside the Nitrokey it is exposed to a |
62 |
> > far higher risk of compromise. |
63 |
> |
64 |
> As Kristian has already mentioned, in principle one could keep the |
65 |
> primary private key on a separate token. |
66 |
|
67 |
Sure, though this is definitely more cumbersome, and not a one-liner |
68 |
in gpg for sure. And last time I checked we're only issuing one |
69 |
Nitrokey per dev, so it is unlikely many would do this. |
70 |
|
71 |
> |
72 |
> > In any case, I think it is far more likely that somebody generating |
73 |
> > keys using software has a rooted box than somebody is going to come |
74 |
> > up with a way to extract keys from a Nitrokey. |
75 |
> |
76 |
> You do not have to extract keys from a smartcard in order to be able to |
77 |
> use keys physically present on it. All you have to do observe the |
78 |
> smartcard user's PIN - either physically or using said rooted box - then |
79 |
> nick the smartcard off them, ehich given that we are talking about keys |
80 |
> that are supposed to be used on a regular basis might be very simple. |
81 |
|
82 |
Sure, but this requires physical theft, which is a HUGE escalation of |
83 |
effort. IMO the most likely attack is some script kiddie on the other |
84 |
side of the planet. |
85 |
|
86 |
I mean, somebody could steal my ID and get into my work and go cause a |
87 |
mess. However this is extremely unlikely in practice. |
88 |
|
89 |
If we were defending against the CIA or whatever I'd consider this a |
90 |
more serious concern, but this isn't realistic, and we would need far |
91 |
better standards to do that. |
92 |
|
93 |
> Hell, if said smartcard contains the primary key you might even return |
94 |
> it to them once you're done compromising them (e.g. by generating your |
95 |
> own set of subkeys) and chances are pretty good that as long as |
96 |
> everything keeps on working fine for them, it will take a quite a while |
97 |
> before anyone notices. |
98 |
|
99 |
I don't see how it differs whether the primary vs signing key is |
100 |
stolen, unless you regenerate new signing keys frequently. If you |
101 |
keep just re-extending expiry on your signing key then that stolen key |
102 |
will work forever. |
103 |
|
104 |
And if you do generate signing keys often then the window of |
105 |
compromise is the same either way. |
106 |
|
107 |
-- |
108 |
Rich |