| 1 |
Hi, |
| 2 |
|
| 3 |
I know I am late but... |
| 4 |
|
| 5 |
1) I still don't understand the motivation for this. What will |
| 6 |
change/improve/be possible in future vs. status quo? |
| 7 |
|
| 8 |
2) This sounds like a blackbox only a few people know/understand: |
| 9 |
|
| 10 |
> +The single L1 Authority Key is used only to (manually) certify the L2 |
| 11 |
> +Keys, and is kept securely offline following the Infrastructure policies |
| 12 |
> +on protecting primary keys. |
| 13 |
|
| 14 |
However, the L1 key is critical, especially if all devs will sign that |
| 15 |
key. E.g. this will allow people with access to L1 to establish a new |
| 16 |
tree without the knowledge of everyone who signed the key but the new |
| 17 |
tree will be able to issue new signatures and everyone will accept them |
| 18 |
because L1 is trusted. Unacceptable. Process must be clear for |
| 19 |
_everyone_. No blackbox. |
| 20 |
|
| 21 |
|
| 22 |
> +The fingerprint of this key is published |
| 23 |
> +on the Gentoo website and users are requested to sign this key to enable |
| 24 |
> +key validity via Authority Keys. |
| 25 |
|
| 26 |
This is problematic. Nobody should ever sign something because it was |
| 27 |
published somewhere. I know this will be a hard challenge but I believe |
| 28 |
the L1 key can only be created if infra people will meet in person: |
| 29 |
|
| 30 |
- This will guarantee that nobody will take a copy of the L1 key, |
| 31 |
assuming we trust these people (maybe do this during a Gentoo conference |
| 32 |
so other people can watch the ceremony). |
| 33 |
|
| 34 |
- We will sign L1 only because it was signed by infra person X which we |
| 35 |
met in person. E.g. nobody should sign L1 key who hasn't met anyone who |
| 36 |
already signed that key. Because mgorny and antarus for example never |
| 37 |
met somone else according to current WoT graph, trust anchor will |
| 38 |
probably be robbat2 -> k_f -> ... for most people. But signing something |
| 39 |
because you were asked to do so without *any* trust anchor should be a |
| 40 |
no go. |
| 41 |
|
| 42 |
My main criticisms, however, is that this system will create a false |
| 43 |
sense of security (authenticity to be precise): |
| 44 |
|
| 45 |
Let's say Gentoo has a developer named Bob. |
| 46 |
|
| 47 |
Bob's local system will get compromised. Attacker will gain access to |
| 48 |
Bob's SSH key and will also find Bob's Gentoo LDAP password. |
| 49 |
|
| 50 |
With the SSH key, the attacker will be able to connect to |
| 51 |
dev.gentoo.org. The LDAP password will allow the attacker to add or |
| 52 |
replace Bob's GPG fingerprint. |
| 53 |
|
| 54 |
Thanks to the new system, an automatic process will sign that new GPG key. |
| 55 |
|
| 56 |
The attacker is now able to manipulate an ebuild for example and push |
| 57 |
that change. If no one happens to review the commit for some reason and |
| 58 |
notice the malicious change, attack will be successful, because the |
| 59 |
commit has a valid signature. |
| 60 |
|
| 61 |
That's basically status quo (see #1). |
| 62 |
|
| 63 |
Once we detect the compromise, we would disable Bob's access and revoke |
| 64 |
all signatures. But this doesn't matter anymore. |
| 65 |
|
| 66 |
Also keep in mind that currently we only validate last commit. If |
| 67 |
another developer will add his/her commit on top of the attacker's |
| 68 |
change, the attacker's key doesn't matter anymore. |
| 69 |
|
| 70 |
My point is, you cannot automate trust. Yes, if someone has to change |
| 71 |
his/her key it will be a pain for everyone... but that's part of the |
| 72 |
game. The difference would be that nobody would sign that new key the |
| 73 |
attacker added to LDAP because it wasn't signed by Bob's previous key |
| 74 |
everyone trusted. So everyone would ping Bob asking what's going on. If |
| 75 |
this would be a legitimate key change, Bob would explain that (and |
| 76 |
probably sign that new key with the old key or he would have to |
| 77 |
establish a new WoT). If this wasn't a legitimate key change, we would |
| 78 |
notice... |
| 79 |
|
| 80 |
I am basically back at #1. Why do we need GLEP 79? It doesn't improve |
| 81 |
anything for real aside adding a lot of complexity. Wrong? |
| 82 |
|
| 83 |
|
| 84 |
-- |
| 85 |
Regards, |
| 86 |
Thomas Deutschmann / Gentoo Linux Developer |
| 87 |
C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5 |
Archives