| 1 |
On Wed, Apr 24, 2019 at 11:57 AM Kristian Fiskerstrand <k_f@g.o> wrote: |
| 2 |
> |
| 3 |
> On 4/24/19 4:19 PM, Rich Freeman wrote: |
| 4 |
> > If it is the case that Nitrokeys can't support a separate primary key, |
| 5 |
> > I'd suggest modifying the GLEP to remove that requirement when a |
| 6 |
> > smartcard is in use. Its main purpose is to keep a key component |
| 7 |
> > offline, and if the key is generated on the card that is already |
| 8 |
> > accomplished. Maybe somebody has a suggestion for how to make the two |
| 9 |
> > work together, otherwise I'll go ahead and suggest a GLEP revision for |
| 10 |
> > the next Council meeting. |
| 11 |
> |
| 12 |
> |
| 13 |
> The GLEP should not be changed on the requirement for distinct signing |
| 14 |
> subkey, this is one of the expected results of it to begin with. |
| 15 |
|
| 16 |
So, I intend to propose this. Council is welcome to vote it down. |
| 17 |
However, I'm really interested in what the concern is here. |
| 18 |
|
| 19 |
The only reason to have a separate primary key is to have an offline |
| 20 |
copy, but it is not a current requirement that it be kept offline, and |
| 21 |
I suspect that 99% of devs won't keep it offline, and of course there |
| 22 |
is no way to verify if this is being done anyway. |
| 23 |
|
| 24 |
So, maintaining this requirement with a Nitrokey means that we in |
| 25 |
reality have the primary key online most of the time, when if it were |
| 26 |
the same as the signing key then both would be offline in the |
| 27 |
Nitrokey. This requirement effectively makes the key less secure in |
| 28 |
practice. It doesn't matter if the signing key is safely stored in |
| 29 |
the Nitrokey if somebody can steal the primary key, since they can |
| 30 |
just create a new signing key at will. Also, by generating the key |
| 31 |
outside the Nitrokey it is exposed to a far higher risk of compromise. |
| 32 |
|
| 33 |
At best for the 1% of devs who would actually keep the primary key |
| 34 |
offline then this achieves the same level of security you have with |
| 35 |
the Nitrokey anyway, which always keeps its keys offline |
| 36 |
(effectively). The only exception to this would be an exploit in the |
| 37 |
Nitrokey, which seems like a pretty low risk. And of course it is |
| 38 |
only a risk when the Nitrokey is plugged in, and the intent would be |
| 39 |
for devs to only plug it in when working on commits. In any case, I |
| 40 |
think it is far more likely that somebody generating keys using |
| 41 |
software has a rooted box than somebody is going to come up with a way |
| 42 |
to extract keys from a Nitrokey. |
| 43 |
|
| 44 |
Now, I think it is a great best practice which we should support for |
| 45 |
anybody who wants to have their offline key-generation machine they |
| 46 |
keep in a vault or whatever. And by all means require the additional |
| 47 |
key when using keys not generated on a Nitrokey. As to how you can |
| 48 |
tell which are which, I'd simply point out that you can't tell if keys |
| 49 |
are being stored offline or not, so really your risk is unchanged in |
| 50 |
taking devs at their word. |
| 51 |
|
| 52 |
I think most companies issuing these sorts of tokens to users would |
| 53 |
generate their keys on the tokens for these very reasons. The reason |
| 54 |
they're using these hardware tokens is because they know that users in |
| 55 |
practice will not take extraordinary care to protect keys, and the |
| 56 |
token provides a similar level of security with very little |
| 57 |
inconvenience. Really the only thing we're missing with the Nitrokey |
| 58 |
is some form of attestation to ensure the keys are in fact generated |
| 59 |
on the device. |
| 60 |
|
| 61 |
-- |
| 62 |
Rich |
Archives