1 |
On Tue, Mar 23, 2004 at 02:12:13PM +0100, Paul de Vrieze wrote: |
2 |
> -----BEGIN PGP SIGNED MESSAGE----- |
3 |
> Hash: SHA1 |
4 |
> |
5 |
> On Tuesday 23 March 2004 13:21, Kurt Lieber wrote: |
6 |
> > On Tue, Mar 23, 2004 at 03:11:47AM -0800 or thereabouts, Robin H. |
7 |
> Johnson wrote: |
8 |
> > > I wrote up a functional prototype patch Mon, 8 Dec 2003 and mailed |
9 |
> > > it to gentoo-core when a discussion on the subject was in progress. |
10 |
> > > This is the ONLY code I've seen produced by anybody on the subject |
11 |
> > > of GPG signing to date. |
12 |
> > |
13 |
> > rac also had a proof-of-concept working. However, as I understand it, |
14 |
> > the issues preventing this from becoming a reality are not technical |
15 |
> > in nature, but more process and policy oriented. Quite frankly, I |
16 |
> > think the only issue standing between us and getting this implemented |
17 |
> > is having the Portage folks deem this as an important project and |
18 |
> > prioritize it accordingly. |
19 |
> |
20 |
> Ok, the biggest problem is an idea for how the actual checking should |
21 |
> function. (Signing is straightforward). |
22 |
> |
23 |
> I'll take a first shot at describing a key chain idea. Please shoot at it |
24 |
> and try to find the holes. But remember it needs to stay workable. First |
25 |
> the premises: |
26 |
> |
27 |
> - - All developers should be able to sign with their own key |
28 |
> - - We can register the keys of the developers before allowing them |
29 |
> - - We don't necessarilly (want to/can) sign the keys of all the developers |
30 |
> - - The system is gentoo-specific so we can implement custom systems. |
31 |
> - - A root key should be kept safe. |
32 |
> |
33 |
> What do I propose: |
34 |
> - - one master key whose public key is put on every cd. It should be signed |
35 |
> by as many people as possible and also put on a ssl protected website |
36 |
> with a real certificate (payed for). |
37 |
> - - a signing key. This key is signed by the master key and is rotated on a |
38 |
> regular basis (say once a month). The public key is put in the portage |
39 |
> tree. |
40 |
> - - The signing key is used for signing a list of the fingerprints/public |
41 |
> keys of all developers with ebuild commit privileges. |
42 |
> - - After an rsync all signatures for packages with changes are checked. |
43 |
> This will first check the signing key based on the known master key |
44 |
> (which should change as little as possible and be kept very secure). |
45 |
> It also verifies that the signing key is not too old. This is important |
46 |
> so that compromise of the signing key will be less of a security issue |
47 |
> even when it is not possible to get the revokation of the key to all |
48 |
> users. |
49 |
> Then it will verify that the list of developer keys is valid based on |
50 |
> the signing key. |
51 |
> Next it will check that the signature file for this package is correct |
52 |
> and validates that the key used for signing this signature is in the |
53 |
> list of acceptable keys. |
54 |
> If the package is found to be invalid we could start with removing the |
55 |
> package from the repository. |
56 |
> - - As the checking is done post-rsync there is no problem with infrequent |
57 |
> rsync-ing. |
58 |
> |
59 |
> note: |
60 |
> *) alternatively there could be a key between the signing key and the |
61 |
> master key, this root key could have a one month rotation. Then this |
62 |
> root key could be used to have a daily generated signing key. |
63 |
> |
64 |
> The disadvantage is that the root key and signing key would be |
65 |
> passphraseless to allow for automatic signing of either the signing |
66 |
> key and the dev key list. (assuming that manually entering keyphrases |
67 |
> daily is too much) |
68 |
> |
69 |
> *) It might be possible to keep the passphrase for the daily signing |
70 |
> key in memory (or even the whole secret part, which would mean |
71 |
> that changes in developer keys would only be visible with a one |
72 |
> day delay (max) or manual regeneration of a signing key) |
73 |
> |
74 |
> Paul |
75 |
|
76 |
While this is being discussed, I think it would be a very good idea to |
77 |
investigate the KeyMan project (http://keyman.aldigital.co.uk/) which |
78 |
was designed by one of the core openSSL guys as a means for doing |
79 |
distribution signing (it was originally written as a solution for the |
80 |
apache folks). Ben Laurie (the openSSL guy) is willing (and excited) to |
81 |
help implement using KeyMan for the signing. It already has a system of |
82 |
"domains" and "subdomains" in which keys are valid, etc, etc. |
83 |
|
84 |
He's willing to port to python (it's in perl now) and would probably be |
85 |
very proactive in this work. If people are interested, I can get him in |
86 |
touch with the right people or vice versa. |
87 |
|
88 |
-pete |
89 |
|
90 |
> |
91 |
> - -- |
92 |
> Paul de Vrieze |
93 |
> Gentoo Developer |
94 |
> Mail: pauldv@g.o |
95 |
> Homepage: http://www.devrieze.net |
96 |
> -----BEGIN PGP SIGNATURE----- |
97 |
> Version: GnuPG v1.2.4 (GNU/Linux) |
98 |
> |
99 |
> iD8DBQFAYDetbKx5DBjWFdsRArC0AJ989ls+w+RszK7FazB0I8hq9//swQCg2BUA |
100 |
> sXkzItayvUSKux+/rfHFx1w= |
101 |
> =N+pp |
102 |
> -----END PGP SIGNATURE----- |
103 |
> |
104 |
> -- |
105 |
> gentoo-dev@g.o mailing list |
106 |
> |
107 |
|
108 |
-- |
109 |
Peter Johanson |
110 |
<latexer@g.o> |
111 |
|
112 |
Key ID = 0x6EFA3917 |
113 |
Key fingerprint = A90A 2518 57B1 9D20 9B71 A2FF 8649 439B 6EFA 3917 |