1 |
On Thu, 2019-04-25 at 07:32 -0400, Rich Freeman wrote: |
2 |
> The intent of the separate primary key is to reduce the risk of it |
3 |
> being compromised by keeping it offline. However, if it were |
4 |
> generated on a smartcard it would be exclusively be maintained |
5 |
> offline, so it is counterproductive to require that it be generated |
6 |
> online and then recommend that it be kept offline after this. |
7 |
> Additionally this key needs to be brought back online anytime the key |
8 |
> expiration is updated, which is at least annually. |
9 |
|
10 |
You seem to be using 'offline' in two different meanings here. Yes, |
11 |
smartcard technically prevents the PC from *reading* the secret key |
12 |
material. However, it isn't really 'offline' as the PC can *use* |
13 |
the secret key material. |
14 |
|
15 |
In the scenario of Gentoo development, the primary use of the 'signing |
16 |
slot' key is to sign commits, pushes and messages, a lot. This means |
17 |
that for practical reasons you need to disable 'forcesig', or you'll |
18 |
have to repeatedly enter PIN for every commit made, for every message |
19 |
sent and twice for every push. If you include the extra delay due to |
20 |
that, and the necessity of rebasing, you may end up being unable to |
21 |
commit otherwise. |
22 |
|
23 |
Now, the smartcard can't (or doesn't -- I haven't looked into |
24 |
the details) distinguish the signing usage vs certification usage. |
25 |
In other words, once you unlock the key e.g. to sign a commit, any |
26 |
program can freely use the card to sign any key or subkey, without even |
27 |
raising your suspicion. |
28 |
|
29 |
To summarize, there is still a major benefit to keeping the primary key |
30 |
offline -- as in, not normally accessible to the system. Whether you do |
31 |
it via keeping the key on an offline system, on a dedicated smartcard |
32 |
that is normally disconnected or in a dedicated smartcard slot that |
33 |
requires PIN for *every* certification made, doesn't matter that much. |
34 |
However, when you open it to direct abuse when using it to sign commits, |
35 |
it is not 'offline'. |
36 |
|
37 |
-- |
38 |
Best regards, |
39 |
Michał Górny |