1 |
--- |
2 |
glep-0063.rst | 129 ++++++++++++++++++++++++++++++++++++++++++++++++++ |
3 |
1 file changed, 129 insertions(+) |
4 |
|
5 |
diff --git a/glep-0063.rst b/glep-0063.rst |
6 |
index e40ddd3..cab52b0 100644 |
7 |
--- a/glep-0063.rst |
8 |
+++ b/glep-0063.rst |
9 |
@@ -132,6 +132,122 @@ of the fingerprint field. In any place that presently displays |
10 |
the "``gpgkey``" field, the last 16 hex digits of the fingerprint should |
11 |
be displayed instead. |
12 |
|
13 |
+Rationale |
14 |
+========= |
15 |
+ |
16 |
+Foreword |
17 |
+-------- |
18 |
+ |
19 |
+This policy aims to provide a good set of OpenPGP usage policies both |
20 |
+to protect Gentoo resources from unauthorized access and to protect developer |
21 |
+identities from being spoofed. The former is significant since it could |
22 |
+be used to deliver malicious content to Gentoo users; the latter because |
23 |
+it could be used to damage the reputation of Gentoo. |
24 |
+ |
25 |
+Separate signing subkey |
26 |
+----------------------- |
27 |
+ |
28 |
+The specification requires that a separate subkey is used for signing. This |
29 |
+is a subset of more general recommendation of using the primary key only for |
30 |
+the purpose of important key operations and storing it offline, while using |
31 |
+separate subkeys for day-to-day operations. |
32 |
+ |
33 |
+The main purpose of this is to reduce the attack surface. By reducing the use |
34 |
+of primary key and keeping it offline, the risk of attacks against it is |
35 |
+reduced. If the attacker manages to compromise the developer's keyring, only |
36 |
+subkeys are compromised and the developer can revoke them without having |
37 |
+the whole key compromised. |
38 |
+ |
39 |
+Furthermore, the specification requires separate subkeys for different |
40 |
+purposes. This is a generally agreed on practice (e.g. GnuPG defaults to |
41 |
+using a separate encryption key) aiming to further reduce the attack surface. |
42 |
+Kristian Fiskerstrand points out e.g. it is technically possible to obtain |
43 |
+a valid signature over crafted data while using the subkey for purposes |
44 |
+of authorization [#COUNCIL-MEETING-20180729]_. |
45 |
+ |
46 |
+Revocation certificate |
47 |
+---------------------- |
48 |
+ |
49 |
+The specification recommends the best practice of storing a copy |
50 |
+of the revocation certificate off site. A common recommendation is to have |
51 |
+the ASCII-armored version of the certificate printed on paper, to protect |
52 |
+against hardware failures (but beware that print servers may store a copy |
53 |
+of the data!). |
54 |
+ |
55 |
+The goal of the revocation certificate is to provide the developer with |
56 |
+ability to revoke the key in case the access to it is lost, e.g. due to |
57 |
+hardware damage combined with lack of backups, major events resulting |
58 |
+in backups being destroyed as well, or more importantly in the event |
59 |
+of hardware being stolen or lost. |
60 |
+ |
61 |
+Key algorithm and length |
62 |
+------------------------ |
63 |
+ |
64 |
+The choice of key algorithm and length defines the resistance of the key |
65 |
+against brute-force attacks. |
66 |
+ |
67 |
+Originally, the specification permitted using DSA keys. However, there is no |
68 |
+compelling reason to continue using DSA. According to the GnuPG FAQ, RSA has |
69 |
+much wider support in smart-card solutions [#GNUPG-FAQ-11-1]_. Furthermore, |
70 |
+the RFC 4880bis draft removes the requirement of DSA support in clients favor |
71 |
+of obligatory RSA (and ECDSA) support [#RFC4880bis]_. |
72 |
+ |
73 |
+The RSA algorithm is recommended as it is considered secure at the moment |
74 |
+and provides for the best interoperability. The 2048-bit key length |
75 |
+is considered sufficiently secure for all our uses. Historically, this |
76 |
+specification recommended 4096-bit keys. However, while longer keys are still |
77 |
+permitted, they are no longer recommended as they give little in regards |
78 |
+to security, yet are capable of causing performance problems, especially |
79 |
+when using external hardware [#GNUPG-FAQ-11-4]_. |
80 |
+ |
81 |
+Additionally, elliptic curve algorithms using Curve 25519 are allowed. |
82 |
+However, they are not recommended due to compatibility concerns |
83 |
+(in particular, not being supported by GnuPG prior to 2.1). |
84 |
+The remaining curves supported by GnuPG (and appropriately listed |
85 |
+in RFC 4880bis draft) are not allowed since there are concerns about safety |
86 |
+of those curves [#SAFECURVES]_. |
87 |
+ |
88 |
+Key expiration |
89 |
+-------------- |
90 |
+ |
91 |
+It is important to note that the expiration dates as required by this |
92 |
+specification are not to be conflated with key rotation. This specification |
93 |
+does not enforce any specific key rotation scheme; expiration serves purely |
94 |
+the purpose of requiring periodic prolongation. |
95 |
+ |
96 |
+This policy serves two purposes. Firstly, it provides a last fallback option |
97 |
+in the event of access to the secret keys being lost and there being |
98 |
+no possibility of revoking them. In this case, the keys eventually expire |
99 |
+and users can clearly see that they are no longer being used. Secondly, it |
100 |
+ensures that the developers periodically confirm their access to the primary |
101 |
+key. |
102 |
+ |
103 |
+The expiration period has been chosen as a matter of compromise between being |
104 |
+secure and causing major trouble to developers keeping keys in secure vaults. |
105 |
+The period of 900 days represents the baseline of 2 years with roughly half |
106 |
+a year grace period for extending the expiration date early. Specifying it |
107 |
+in days makes it possible to automatically verify it without having to account |
108 |
+for different lengths of year. |
109 |
+ |
110 |
+Additionally, the specification requires renewing the key at least two weeks |
111 |
+before expiration. This is meant to provide the developers early notice |
112 |
+of upcoming expiration and provide time for both the users and Gentoo |
113 |
+Infrastructure to refresh keys. |
114 |
+ |
115 |
+Key distribution |
116 |
+---------------- |
117 |
+ |
118 |
+The specification requires that the key used by the developer includes his |
119 |
+@g.o e-mail address in one of the UIDs, and the key is uploaded |
120 |
+to the SKS keyservers. This ensures that the developer keys can easily |
121 |
+be found by the users. Furthermore, the latter is also necessary |
122 |
+for the Gentoo Infrastructure to fetch the key and its updates. |
123 |
+ |
124 |
+Currently the specification does not specify establishing a Web of Trust |
125 |
+between Gentoo developers. While this is generally a good recommendation, it |
126 |
+is not considered possible for all developers to be actually able to meet |
127 |
+other developers, and no other solution has been agreed on so far. |
128 |
+ |
129 |
Backwards Compatibility |
130 |
======================= |
131 |
|
132 |
@@ -160,6 +276,19 @@ References |
133 |
.. [#GNUPG-FAQ-11-4] GnuPG FAQ: Why doesn’t GnuPG default to using RSA-4096? |
134 |
(https://www.gnupg.org/faq/gnupg-faq.html#no_default_of_rsa4096) |
135 |
|
136 |
+.. [#COUNCIL-MEETING-20180729] Gentoo Council 2018-07-29 meeting log |
137 |
+ (https://projects.gentoo.org/council/meeting-logs/20180729.txt) |
138 |
+ |
139 |
+.. [#GNUPG-FAQ-11-1] GnuPG FAQ: Which ciphers are recommended, and why? |
140 |
+ (https://www.gnupg.org/faq/gnupg-faq.html#recommended_ciphers) |
141 |
+ |
142 |
+.. [#RFC4880bis] OpenPGP Message Format; draft-ietf-openpgp-rfc4880bis-05 |
143 |
+ (https://tools.ietf.org/id/draft-ietf-openpgp-rfc4880bis-05.txt) |
144 |
+ |
145 |
+.. [#SAFECURVES] Daniel J. Bernstein, Tanja Lange. SafeCurves: choosing |
146 |
+ safe curves for elliptic-curve cryptography (as of 2018-08-04) |
147 |
+ (https://safecurves.cr.yp.to/) |
148 |
+ |
149 |
.. [#DEVMANUAL-MANIFEST] Gentoo Development Guide: Manifest |
150 |
(http://devmanual.gentoo.org/general-concepts/manifest/index.html) |
151 |
|
152 |
-- |
153 |
2.18.0 |