Gentoo Archives: gentoo-dev

From: "Michał Górny" <mgorny@g.o>
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] [PATCH] glep-0063: Allow a single primary/signing key for smartcards
Date: Thu, 25 Apr 2019 13:03:25
Message-Id: a8c29ae8464c6112595b15bd9c5737f92fe27c15.camel@gentoo.org
In Reply to: [gentoo-dev] [PATCH] glep-0063: Allow a single primary/signing key for smartcards by Rich Freeman
1 On Thu, 2019-04-25 at 07:32 -0400, Rich Freeman wrote:
2 > The intent of the separate primary key is to reduce the risk of it
3 > being compromised by keeping it offline. However, if it were
4 > generated on a smartcard it would be exclusively be maintained
5 > offline, so it is counterproductive to require that it be generated
6 > online and then recommend that it be kept offline after this.
7 > Additionally this key needs to be brought back online anytime the key
8 > expiration is updated, which is at least annually.
9
10 You seem to be using 'offline' in two different meanings here. Yes,
11 smartcard technically prevents the PC from *reading* the secret key
12 material. However, it isn't really 'offline' as the PC can *use*
13 the secret key material.
14
15 In the scenario of Gentoo development, the primary use of the 'signing
16 slot' key is to sign commits, pushes and messages, a lot. This means
17 that for practical reasons you need to disable 'forcesig', or you'll
18 have to repeatedly enter PIN for every commit made, for every message
19 sent and twice for every push. If you include the extra delay due to
20 that, and the necessity of rebasing, you may end up being unable to
21 commit otherwise.
22
23 Now, the smartcard can't (or doesn't -- I haven't looked into
24 the details) distinguish the signing usage vs certification usage.
25 In other words, once you unlock the key e.g. to sign a commit, any
26 program can freely use the card to sign any key or subkey, without even
27 raising your suspicion.
28
29 To summarize, there is still a major benefit to keeping the primary key
30 offline -- as in, not normally accessible to the system. Whether you do
31 it via keeping the key on an offline system, on a dedicated smartcard
32 that is normally disconnected or in a dedicated smartcard slot that
33 requires PIN for *every* certification made, doesn't matter that much.
34 However, when you open it to direct abuse when using it to sign commits,
35 it is not 'offline'.
36
37 --
38 Best regards,
39 Michał Górny

Attachments

File name MIME type
signature.asc application/pgp-signature