1 |
Hi, |
2 |
|
3 |
I know I am late but... |
4 |
|
5 |
1) I still don't understand the motivation for this. What will |
6 |
change/improve/be possible in future vs. status quo? |
7 |
|
8 |
2) This sounds like a blackbox only a few people know/understand: |
9 |
|
10 |
> +The single L1 Authority Key is used only to (manually) certify the L2 |
11 |
> +Keys, and is kept securely offline following the Infrastructure policies |
12 |
> +on protecting primary keys. |
13 |
|
14 |
However, the L1 key is critical, especially if all devs will sign that |
15 |
key. E.g. this will allow people with access to L1 to establish a new |
16 |
tree without the knowledge of everyone who signed the key but the new |
17 |
tree will be able to issue new signatures and everyone will accept them |
18 |
because L1 is trusted. Unacceptable. Process must be clear for |
19 |
_everyone_. No blackbox. |
20 |
|
21 |
|
22 |
> +The fingerprint of this key is published |
23 |
> +on the Gentoo website and users are requested to sign this key to enable |
24 |
> +key validity via Authority Keys. |
25 |
|
26 |
This is problematic. Nobody should ever sign something because it was |
27 |
published somewhere. I know this will be a hard challenge but I believe |
28 |
the L1 key can only be created if infra people will meet in person: |
29 |
|
30 |
- This will guarantee that nobody will take a copy of the L1 key, |
31 |
assuming we trust these people (maybe do this during a Gentoo conference |
32 |
so other people can watch the ceremony). |
33 |
|
34 |
- We will sign L1 only because it was signed by infra person X which we |
35 |
met in person. E.g. nobody should sign L1 key who hasn't met anyone who |
36 |
already signed that key. Because mgorny and antarus for example never |
37 |
met somone else according to current WoT graph, trust anchor will |
38 |
probably be robbat2 -> k_f -> ... for most people. But signing something |
39 |
because you were asked to do so without *any* trust anchor should be a |
40 |
no go. |
41 |
|
42 |
My main criticisms, however, is that this system will create a false |
43 |
sense of security (authenticity to be precise): |
44 |
|
45 |
Let's say Gentoo has a developer named Bob. |
46 |
|
47 |
Bob's local system will get compromised. Attacker will gain access to |
48 |
Bob's SSH key and will also find Bob's Gentoo LDAP password. |
49 |
|
50 |
With the SSH key, the attacker will be able to connect to |
51 |
dev.gentoo.org. The LDAP password will allow the attacker to add or |
52 |
replace Bob's GPG fingerprint. |
53 |
|
54 |
Thanks to the new system, an automatic process will sign that new GPG key. |
55 |
|
56 |
The attacker is now able to manipulate an ebuild for example and push |
57 |
that change. If no one happens to review the commit for some reason and |
58 |
notice the malicious change, attack will be successful, because the |
59 |
commit has a valid signature. |
60 |
|
61 |
That's basically status quo (see #1). |
62 |
|
63 |
Once we detect the compromise, we would disable Bob's access and revoke |
64 |
all signatures. But this doesn't matter anymore. |
65 |
|
66 |
Also keep in mind that currently we only validate last commit. If |
67 |
another developer will add his/her commit on top of the attacker's |
68 |
change, the attacker's key doesn't matter anymore. |
69 |
|
70 |
My point is, you cannot automate trust. Yes, if someone has to change |
71 |
his/her key it will be a pain for everyone... but that's part of the |
72 |
game. The difference would be that nobody would sign that new key the |
73 |
attacker added to LDAP because it wasn't signed by Bob's previous key |
74 |
everyone trusted. So everyone would ping Bob asking what's going on. If |
75 |
this would be a legitimate key change, Bob would explain that (and |
76 |
probably sign that new key with the old key or he would have to |
77 |
establish a new WoT). If this wasn't a legitimate key change, we would |
78 |
notice... |
79 |
|
80 |
I am basically back at #1. Why do we need GLEP 79? It doesn't improve |
81 |
anything for real aside adding a lot of complexity. Wrong? |
82 |
|
83 |
|
84 |
-- |
85 |
Regards, |
86 |
Thomas Deutschmann / Gentoo Linux Developer |
87 |
C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5 |