| 1 |
If there is anything you or genone need to make signing happening you |
| 2 |
have to the full support of the council/infra/hardened/security. |
| 3 |
|
| 4 |
|
| 5 |
On Thu, 2006-05-18 at 21:26 -0700, Robin H. Johnson wrote: |
| 6 |
> This email is a discussion on why we need to care about more than the simple |
| 7 |
> key parameters, and why - this includes things like changing the validity of an |
| 8 |
> existing key. We also need to consider: location of key (primary key vs. |
| 9 |
> subkey), expiry policies (expiries are only one element of key validity), key |
| 10 |
> signatures, and revoking elements in a key. |
| 11 |
> |
| 12 |
> I've tried very hard to ensure absolutely all of the following is |
| 13 |
> completely fact, and that I have not entered any of my opinions into it, |
| 14 |
> except where I've explictly marked it as such. |
| 15 |
> |
| 16 |
> On Thu, May 18, 2006 at 11:45:17PM +0200, Patrick Lauer wrote: |
| 17 |
> > Key policies |
| 18 |
> > ============ |
| 19 |
> > To make signing relevant and verifiable all devs should use the same |
| 20 |
> > parameters - key length, key type, validity. |
| 21 |
> No, the simple parameters of the have little bearing on how they are used. |
| 22 |
> While we do care about them in terms of managing file signatures, some |
| 23 |
> understanding is needed first. |
| 24 |
> |
| 25 |
> Introduction |
| 26 |
> ------------ |
| 27 |
> The following is an introduction into some of the OpenPGP standard, with a |
| 28 |
> focus on how it affects file signing, key signing, management of keys (for |
| 29 |
> the complex style listed), and revocation. |
| 30 |
> |
| 31 |
> It's important as to what attacks against a key can lead to what results. |
| 32 |
> |
| 33 |
> Breakdown of what is a 'key' is |
| 34 |
> ------------------------------- |
| 35 |
> A 'key' under PGP/GnuPG (OpenPGP) consists of several important entities: |
| 36 |
> 1. *actual cryptographic primary keys and secondary keys (subkeys) [pub/sub] |
| 37 |
> 2. *user ids - one uid per email address [uid] |
| 38 |
> 3. signatures, each attached to one uid [sig] |
| 39 |
> 4. revocations of any of the above items [rev] |
| 40 |
> I've included the packet type name in the [] at the end. |
| 41 |
> The first two items marked with a * are the core entities, and items are |
| 42 |
> associated with only one element of them. |
| 43 |
> There are a few more packet types, but they aren't important to our |
| 44 |
> discussion. |
| 45 |
> |
| 46 |
> After this point, I will use the term 'cryptokey' to refer to the actual |
| 47 |
> cryptographic keys, and the generic term 'key' to refer to the collection of |
| 48 |
> above items. |
| 49 |
> |
| 50 |
> To see the various elements of the above, try this: |
| 51 |
> "gpg --list-sig SOMEDEV@g.o" |
| 52 |
> If you look at my key, it goes on for a few pages (but isn't quite as |
| 53 |
> long as the Paludis thread). |
| 54 |
> |
| 55 |
> The first column has the information type, and you'll see the types I |
| 56 |
> mentioned above. |
| 57 |
> |
| 58 |
> Now let's focus on a single key for a moment: |
| 59 |
> |
| 60 |
> # gpg --edit-key robbat@g.o |
| 61 |
> ... |
| 62 |
> pub 1024D/34884E85 created: 2002-08-27 expires: 2008-03-09 usage: CS |
| 63 |
> trust: ultimate validity: ultimate |
| 64 |
> sub 2048g/CA05A397 created: 2002-08-27 expires: 2008-03-09 usage: E |
| 65 |
> sub 2048g/67592A1F created: 2003-04-12 expires: 2008-03-09 usage: E |
| 66 |
> This key was revoked on 2004-09-09 by DSA key 34884E85 Robin Hugh Johnson <robbat2@××××××××××××××.net> |
| 67 |
> sub 1024D/FB33B3A4 created: 2002-08-27 revoked: 2004-09-09 usage: SA |
| 68 |
> This key was revoked on 2004-09-09 by DSA key 34884E85 Robin Hugh Johnson <robbat2@××××××××××××××.net> |
| 69 |
> sub 2048g/CC772FC3 created: 2002-08-27 revoked: 2004-09-09 usage: E |
| 70 |
> sub 1024D/3233C22C created: 2004-08-29 expires: 2008-03-09 usage: S |
| 71 |
> [ultimate] (1). Robin Hugh Johnson <robbat2@××××××××××××××.net> |
| 72 |
> [ revoked] (2) Robin Hugh Johnson <rjohnsob@×××.ca> |
| 73 |
> [ultimate] (3) Robin Hugh Johnson <robbat2@×××××××××××××××××.net> |
| 74 |
> [ultimate] (4) Robin Hugh Johnson <robbat2@g.o> |
| 75 |
> [ revoked] (5) Robin Hugh Johnson <rhj@×××.ca> |
| 76 |
> [ revoked] (6) Robin Hugh Johnson <robbat2@×××.ca> |
| 77 |
> [ revoked] (7) Robin Hugh Johnson <robbat2@×××××××.com> |
| 78 |
> [ revoked] (8) Robin Hugh Johnson <robin@×××××××.com> |
| 79 |
> [ revoked] (9) Robin Hugh Johnson <robbat2@×××××××××.com> |
| 80 |
> |
| 81 |
> The important bit here is the 'usage:' bit at the end of the cryptokeys. |
| 82 |
> There are 4 letters that will appear here: |
| 83 |
> C - Certify |
| 84 |
> S - Sign |
| 85 |
> E - Encrypt |
| 86 |
> A - Authenticate |
| 87 |
> |
| 88 |
> We are interested in two of these only: Certify and Sign. |
| 89 |
> We aren't dealing with encrypted data at the moment, and usage of authenticate |
| 90 |
> is not implemented in gpg-1.4. |
| 91 |
> |
| 92 |
> 'Certify' is the terminology used for signing uids. |
| 93 |
> 'Sign' is the terminology used for digitally signing files/data. |
| 94 |
> |
| 95 |
> If you attend a keysigning event, you are certifying that a uid does indeed |
| 96 |
> belong to a person (more on this in a moment, in how we can gain from it). |
| 97 |
> |
| 98 |
> From this point forward, I will use 'certify' to indicate signing of a |
| 99 |
> key, and signing to indicate other data signing. |
| 100 |
> |
| 101 |
> Only the primary cryptokey [pub] will ever be marked with Certify. |
| 102 |
> The primary cryptokey is used for all uid signatures made with your key. |
| 103 |
> It also protects your key itself from some modifications by attackers. |
| 104 |
> |
| 105 |
> Having multiple UIDs allows a person to go over several email addresses |
| 106 |
> over time, without having to invalidate old correspondence, or identify |
| 107 |
> themselves to any given third party more than once. |
| 108 |
> |
| 109 |
> Choice of Length/Type: |
| 110 |
> ---------------------- |
| 111 |
> Any of the cryptokeys marked with Sign will be used in signing Manifest/digest |
| 112 |
> data. |
| 113 |
> We have a few choices for these - I'm limiting this to what is implemented in |
| 114 |
> upstream GnuPG, and not anything added by external patches. |
| 115 |
> CryptoKey types: DSA, RSA. |
| 116 |
> CryptoKey lengths: |
| 117 |
> - DSA provides a length of 1024 bits only (gnupg does not allow you to chose |
| 118 |
> anything else without special options, and that is only weaker keys). |
| 119 |
> - RSA lengths between 1024 and 4096 bits available. |
| 120 |
> |
| 121 |
> The following is a small speed comparison produced with 'openssl bench rsa |
| 122 |
> dsa', run single-threaded, and excluding the variants (DSA512, DSA2048) not |
| 123 |
> available in GnuPG. |
| 124 |
> |
| 125 |
> 32-bit x86 (Athlon XP) |
| 126 |
> sign/s verify/s |
| 127 |
> DSA1024 592.2 501.3 |
| 128 |
> RSA1024 264.7 5581.9 |
| 129 |
> RSA2048 48.0 1763.5 |
| 130 |
> RSA4096 7.6 510.1 |
| 131 |
> |
| 132 |
> Apple G5, Quad: |
| 133 |
> sign/s verify/s |
| 134 |
> DSA1024 2125.7 1735.8 |
| 135 |
> RSA1024 1032.4 18829.6 |
| 136 |
> RSA2048 171.0 5988.2 |
| 137 |
> RSA4096 26.3 1754.4 |
| 138 |
> |
| 139 |
> Not reflected in this is generation time for keys as that is a one time |
| 140 |
> occurrence, the time it takes is mostly irrelevant, but for the record, RSA is |
| 141 |
> several times slower for equivalent key lengths. |
| 142 |
> |
| 143 |
> Note: these speeds would not be affected by the size of the data - as GnuPG |
| 144 |
> signs a hash of the data only. |
| 145 |
> |
| 146 |
> There are 11k packages in the tree now, and if we assume 2 signatures per |
| 147 |
> package for the moment, that's ~40 seconds to verify the entire tree (assuming |
| 148 |
> no other bottlenecks, which is completely unreasonable) with RSA4096 on a |
| 149 |
> slower machine. |
| 150 |
> |
| 151 |
> For the question of key length - I ask the security folk - what do you consider |
| 152 |
> reasonable without being paranoid? |
| 153 |
> |
| 154 |
> <opinion> |
| 155 |
> It's pretty obvious in this, that RSA is slow for signing, but fast for |
| 156 |
> verifying. Unless we have a specific need for high speed signing, I'd suggest |
| 157 |
> we go with RSA. |
| 158 |
> </opinion> |
| 159 |
> |
| 160 |
> Location of the cryptokey: |
| 161 |
> -------------------------- |
| 162 |
> If we require that a Gentoo developer has a primary key for that is used for |
| 163 |
> signing, we lose the ability to add web of trust to our system later. |
| 164 |
> |
| 165 |
> Additionally, if the developer uses the singular primary key for a lot of |
| 166 |
> stuff, it is more vulnerable to attack. |
| 167 |
> |
| 168 |
> <opinion> |
| 169 |
> Instead, the developer should create a subkey that is used for signing Gentoo |
| 170 |
> work only. They should not sign anything else with this, including their Gentoo |
| 171 |
> email. |
| 172 |
> |
| 173 |
> They may have an additional subkey for signing their Gentoo email if they wish. |
| 174 |
> </opinion> |
| 175 |
> |
| 176 |
> Q: What are the potential downsides to this? |
| 177 |
> A: There are some older keyservers out there that do not correctly deal with |
| 178 |
> subkeys - but this should not affect us as we are intending to distribute |
| 179 |
> public cryptokeys ourselves. |
| 180 |
> |
| 181 |
> Choosing cryptokey expiry times: |
| 182 |
> -------------------------------- |
| 183 |
> GnuPG and the OpenPGP standard in general allow you to change the expiry date |
| 184 |
> on a cryptokey, after it is created. With that in mind, what does it having an |
| 185 |
> expired cryptokey imply: |
| 186 |
> 1. GnuPG will not use that cryptokey for new creation actions (sign/encrypt/certify). |
| 187 |
> 2. GnuPG will correctly validate/decrypt anything signed/encrypted by that |
| 188 |
> cryptokey, provided that the data timestamp is older than the key expiry |
| 189 |
> timestamp. |
| 190 |
> |
| 191 |
> #1 is a logical behavior. |
| 192 |
> #2 protects us when data hasn't changed for a long time - but we have to be |
| 193 |
> careful about accurate timestamps (evil can get in here). |
| 194 |
> |
| 195 |
> Q: What do we actually gain from expiry times in encryption setups? |
| 196 |
> A: It would indicate to others which key to use. |
| 197 |
> |
| 198 |
> Q: What do we actually gain from expiry times in data signing setups? |
| 199 |
> A: Marginal protection against attacks from large datasets that might allow |
| 200 |
> compromise of the key, but only by encouraging us to have multiple keys over |
| 201 |
> time. Is this really a concern? No, we aren't signing large amounts of data. |
| 202 |
> |
| 203 |
> Q: Is there anything else we gain from expiry times? |
| 204 |
> A: Yes. If a practice of using medium-term expiry times, and updating them |
| 205 |
> regularly is undertaken, the keys provide an indication of who is still paying |
| 206 |
> attention. |
| 207 |
> |
| 208 |
> <opinion> |
| 209 |
> For the last reason alone, expiry times are worthwhile, and I would like to |
| 210 |
> suggest that a period of 6 months is used. |
| 211 |
> </opinion> |
| 212 |
> |
| 213 |
> Revocating of cryptokeys also has the same implications as an expired |
| 214 |
> cryptokey, with the exception that you cannot under a revocation. |
| 215 |
> |
| 216 |
> Other validity elements: |
| 217 |
> ------------------------ |
| 218 |
> Now we lead into some more complex areas. Beyond cryptokey expiry dates, there |
| 219 |
> are several other methods for key validity. Of primary importance to us are uid |
| 220 |
> signatures. |
| 221 |
> |
| 222 |
> UID signatures: |
| 223 |
> --------------- |
| 224 |
> As I wrote last year, these may take several forms. |
| 225 |
> We are concerned with several properties that they may have: |
| 226 |
> |
| 227 |
> Expiry dates of signatures: |
| 228 |
> Unlike expiry dates of cryptokeys, these may not be changed - by default, they |
| 229 |
> take on the expiry date of the certifying cryptokey, although a lower value may be |
| 230 |
> set. If you have an existing signature that has expired, you need to get your |
| 231 |
> uid signed again. |
| 232 |
> |
| 233 |
> Revocation of signatures: |
| 234 |
> A signature may be revoked by the certifying cryptokey only. |
| 235 |
> (TODO: need to check that the same rules of validity apply here). |
| 236 |
> |
| 237 |
> Trust markings: |
| 238 |
> This is not of immediate concern, but instead offers future options for the |
| 239 |
> very paranoid portion of our userbase. They can implement things like only |
| 240 |
> trusting a specific web-of-trust of developers. |
| 241 |
> |
| 242 |
> Using UID signatures: |
| 243 |
> --------------------- |
| 244 |
> Q: How can we use signatures to our advantage, for the hybrid or complex schemes? |
| 245 |
> 1. Take the master key as defined by the 'Simple' proposal. |
| 246 |
> 2. Use it to create uid signatures to each trusted developer key. |
| 247 |
> 3. In verifying, designate said master key as the top level of trust (this is |
| 248 |
> the same as the simple scheme), and verify all file signatures by developers |
| 249 |
> as you go along. |
| 250 |
> |
| 251 |
> This schema is extensible to N master keys, by telling GnuPG that it |
| 252 |
> needs signatures from M masters before data is considered trusted. |
| 253 |
> |
| 254 |
> Revoking keys: |
| 255 |
> -------------- |
| 256 |
> <opinion> |
| 257 |
> When a developer leaves Gentoo, he should not revoke the subkey used to |
| 258 |
> sign (indeed, he may not be able to, think being hit by a bus). |
| 259 |
> Instead, any signatures made by a valid master key should be revoked. |
| 260 |
> This ensure control remains in the hands of the keymasters (infra, devrel, |
| 261 |
> whoever). |
| 262 |
> </opinion> |
| 263 |
> |
| 264 |
> Summary: |
| 265 |
> ----------- |
| 266 |
> This is a brief summary of the suggestions and choices above. |
| 267 |
> This summary outline is assuming a model such as the hybrid or complex |
| 268 |
> models. |
| 269 |
> |
| 270 |
> - Each developer shall have a GnuPG key. |
| 271 |
> - Each developer key shall contain at least one uid, with name and Gentoo email |
| 272 |
> address of the developer. |
| 273 |
> - Each developer must create a secondary cryptokey with the following |
| 274 |
> parameters (designated as their Gentoo signing cryptokey): |
| 275 |
> Key Type: RSA |
| 276 |
> Key Length: 2048 or 4096 |
| 277 |
> Expiry time: Set at 6 months out |
| 278 |
> Usage: Marked as signing only. |
| 279 |
> - Each developer shall regularly update the expiry time (GnuPG enforces |
| 280 |
> this) of the cryptokey, keeping it no further than 6 months ahead of |
| 281 |
> the present date, except where otherwise decided. |
| 282 |
> - Each developer should have a revocation certificate for their key, and |
| 283 |
> store two copies in a secure offline location (I suggest two CD-RWs, |
| 284 |
> of different brands, stored in separate locations, refreshed every 6 |
| 285 |
> months, but floppy disks would work as well). |
| 286 |
> - Each developer will sign all of their commits with their Gentoo |
| 287 |
> signing cryptokey only. They should not sign anything else, nor use |
| 288 |
> other cryptokeys for signing Gentoo commits. |
| 289 |
> - (Optional, for those creating new keys only) a best practice would be |
| 290 |
> to have a primary key that is marked as certifying only. |
| 291 |
> |
| 292 |
> (This part here needs more discussion, which may end up that N=1 is |
| 293 |
> valid). |
| 294 |
> - There will be N master keys. |
| 295 |
> - A master key will have a secondary cryptokey conforming to the same |
| 296 |
> requirements as the developer Gentoo signing cryptokey. |
| 297 |
> - A master key will certify all Gentoo developer keys on a regular |
| 298 |
> basis. This can be done on 4 month intervals safely, with once-off |
| 299 |
> events to sign keys of incoming developers, or other special cases. |
| 300 |
> - When a developer leaves, the certification on their key shall be |
| 301 |
> revoked. |
| 302 |
> - Both infra and the council should hold the revocation control for a |
| 303 |
> master key in some way so that cooperation is needed to actually revoke |
| 304 |
> a master key. |
| 305 |
> |
| 306 |
> (For future stuff:) |
| 307 |
> For performing releases of Gentoo (releng), a designated key be used, |
| 308 |
> and be certified by the master key. |
| 309 |
> |
| 310 |
> Outstanding points: |
| 311 |
> ------------------- |
| 312 |
> - Discussion of how the keymaster(s) should operate to maintain the |
| 313 |
> keyring. |
| 314 |
> |
| 315 |
-- |
| 316 |
Ned Ludd <solar@g.o> |
| 317 |
Gentoo Linux |
| 318 |
|
| 319 |
-- |
| 320 |
gentoo-dev@g.o mailing list |
Archives