| 1 |
On Thu, Apr 25, 2019 at 4:34 PM James Le Cuirot <chewi@g.o> wrote: |
| 2 |
> |
| 3 |
> On Thu, 25 Apr 2019 11:30:27 -0400 |
| 4 |
> Alec Warner <antarus@g.o> wrote: |
| 5 |
> |
| 6 |
> > > Seeing as separating the primary and the signing key has been part of |
| 7 |
> > > OpenPGP best practices for a long, long time, I have got highly mixed |
| 8 |
> > > feelings about this statement. On the one hand, it is not reasonable to |
| 9 |
> > > expect someone with no or minimal prior knowledge of OpenPGP to master |
| 10 |
> > > it overnight. On the other, we are not just some random people from Teh |
| 11 |
> > > Intarwebz and we *have* been using OpenPGP signatures on commits for |
| 12 |
> > > quite a while now. |
| 13 |
> > > |
| 14 |
> > |
| 15 |
> > This is untrue though; we *are* random people from teh interwebs. |
| 16 |
> > |
| 17 |
> > I store my primary key on my desktop. |
| 18 |
> > I don't have copies of my primary key. |
| 19 |
> > My primary key is protected by a passphrase. |
| 20 |
> > Most of the time its cached in gpg-agent, so the passphrase is easily |
| 21 |
> > stealable by local attackers. |
| 22 |
> > I've been a dev for like > 10 years. |
| 23 |
> > |
| 24 |
> > I assume that every other dev does the same. Obviously some do not (and |
| 25 |
> > I've spoken to many who have better practices) but I assume |
| 26 |
> > people do the lazy / easy thing and I highly recommend this assumption. If |
| 27 |
> > you assume that people have your security practices, you should prepare to |
| 28 |
> > be disappointed. |
| 29 |
> > |
| 30 |
> > Many devs have *no idea* how GPG works. |
| 31 |
> > GPG is quite possibly the worst program I've even been forced to use in |
| 32 |
> > terms of doing any operation, particularly around setup (hmm maybe Imation |
| 33 |
> > Ironkeys were worse?) |
| 34 |
> > Many devs are just following the wiki instructions and get what they get. |
| 35 |
> |
| 36 |
> I can sort of echo this. I believe I'm close to the recommendations now |
| 37 |
> but it took me several evenings to actually wrap my head around all |
| 38 |
> this and even then, I still felt very nervous setting it up and I had |
| 39 |
> to rehearse it beforehand. As a professional software engineer for many |
| 40 |
> years, it really shouldn't be this hard. People talk about GPG best |
| 41 |
> practices but it was really difficult to find a reliable update-to-date |
| 42 |
> guide and it certainly doesn't feel like best practise when you have to |
| 43 |
> manually delete ~/.gnupg/private-keys-v1.d/KEYGRIP.key, where KEYGRIP |
| 44 |
> is returned by the obscure --with-keygrip option. |
| 45 |
|
| 46 |
I think a big problem is that gpg is sorely lacking in command line |
| 47 |
commands/options for key management. Almost anything having to do |
| 48 |
with key management involves a back-and-forth console interaction. |
| 49 |
|
| 50 |
This means that you can't just tell somebody to run "gpg --long --list |
| 51 |
--of --options" and have it just do the right thing. You also can't |
| 52 |
script anything unless you feed input or even worse use something like |
| 53 |
expect. Some of the guides I've seen require editing config files |
| 54 |
because presumably these options can't be set on the command line. |
| 55 |
|
| 56 |
I completely get what asymmetric crypto is. It is just a royal PITA |
| 57 |
to actually get gpg to do something very specific like have a separate |
| 58 |
signing key without pouring through manpages. Generating a key with |
| 59 |
the default options is easy, but after that you're on your own |
| 60 |
largely. |
| 61 |
|
| 62 |
Oh sure, once you know how to do it then it isn't a big deal. Until |
| 63 |
you have to do it again because you don't generate new gpg keys every |
| 64 |
other week... |
| 65 |
|
| 66 |
-- |
| 67 |
Rich |
Archives