1 |
On Thu, Apr 25, 2019 at 7:58 AM Marek Szuba <marecki@g.o> wrote: |
2 |
|
3 |
> On 2019-04-24 20:34, Rich Freeman wrote: |
4 |
> |
5 |
> > The only reason to have a separate primary key is to have an offline |
6 |
> > copy, |
7 |
> |
8 |
> Not quite. First and foremost, you don not want to have an offline copy |
9 |
> of the primary private key - you want to have the primary ENTIRELY |
10 |
> offline. Secondly, the reason for that is not (just) to have a backup |
11 |
> but that the primary private key gives you virtually unlimited control. |
12 |
> Create pretty much any number of additional subkeys? Check. Assign |
13 |
> additional user IDs? Check. Change expiration dates? Check. And so on... |
14 |
> In short, having the primary private key compromised means A LOT of |
15 |
> trouble - and not just for the key owner either, the primary is also |
16 |
> used to sign other people's public keys so it could mess up other users' |
17 |
> trust databases. |
18 |
> |
19 |
> > So, maintaining this requirement with a Nitrokey means that we in |
20 |
> > reality have the primary key online most of the time, |
21 |
> |
22 |
> Seeing as separating the primary and the signing key has been part of |
23 |
> OpenPGP best practices for a long, long time, I have got highly mixed |
24 |
> feelings about this statement. On the one hand, it is not reasonable to |
25 |
> expect someone with no or minimal prior knowledge of OpenPGP to master |
26 |
> it overnight. On the other, we are not just some random people from Teh |
27 |
> Intarwebz and we *have* been using OpenPGP signatures on commits for |
28 |
> quite a while now. |
29 |
> |
30 |
|
31 |
This is untrue though; we *are* random people from teh interwebs. |
32 |
|
33 |
I store my primary key on my desktop. |
34 |
I don't have copies of my primary key. |
35 |
My primary key is protected by a passphrase. |
36 |
Most of the time its cached in gpg-agent, so the passphrase is easily |
37 |
stealable by local attackers. |
38 |
I've been a dev for like > 10 years. |
39 |
|
40 |
I assume that every other dev does the same. Obviously some do not (and |
41 |
I've spoken to many who have better practices) but I assume |
42 |
people do the lazy / easy thing and I highly recommend this assumption. If |
43 |
you assume that people have your security practices, you should prepare to |
44 |
be disappointed. |
45 |
|
46 |
Many devs have *no idea* how GPG works. |
47 |
GPG is quite possibly the worst program I've even been forced to use in |
48 |
terms of doing any operation, particularly around setup (hmm maybe Imation |
49 |
Ironkeys were worse?) |
50 |
Many devs are just following the wiki instructions and get what they get. |
51 |
|
52 |
-A |
53 |
|
54 |
|
55 |
> > when if it were the same as the signing key then both would be |
56 |
> > offline in the Nitrokey. |
57 |
> |
58 |
> Using a hardware security device is not the same as making the key |
59 |
> offline - especially given that the Gentoo NitroKey workflow as |
60 |
> currently posted on the Wiki suggests disabling forcesig, which could |
61 |
> effectively leave the signing private key unlocked for extended periods |
62 |
> of time. |
63 |
> |
64 |
> > Also, by generating the key outside the Nitrokey it is exposed to a |
65 |
> > far higher risk of compromise. |
66 |
> |
67 |
> As Kristian has already mentioned, in principle one could keep the |
68 |
> primary private key on a separate token. |
69 |
> |
70 |
> > In any case, I think it is far more likely that somebody generating |
71 |
> > keys using software has a rooted box than somebody is going to come |
72 |
> > up with a way to extract keys from a Nitrokey. |
73 |
> |
74 |
> You do not have to extract keys from a smartcard in order to be able to |
75 |
> use keys physically present on it. All you have to do observe the |
76 |
> smartcard user's PIN - either physically or using said rooted box - then |
77 |
> nick the smartcard off them, ehich given that we are talking about keys |
78 |
> that are supposed to be used on a regular basis might be very simple. |
79 |
> Hell, if said smartcard contains the primary key you might even return |
80 |
> it to them once you're done compromising them (e.g. by generating your |
81 |
> own set of subkeys) and chances are pretty good that as long as |
82 |
> everything keeps on working fine for them, it will take a quite a while |
83 |
> before anyone notices. |
84 |
> |
85 |
> Conversely, even a software-generated primary key stored on a |
86 |
> software-encrypted USB stick might be more secure simply because with it |
87 |
> being only occasionally required, it can be stored somewhere hard to |
88 |
> access. You don't even need a vault (which, incidentally, is something I |
89 |
> have found people trying to make fun of crypto nerds mention a lot) |
90 |
> either - my personal experience has taught me that giving to a trusted |
91 |
> family member or friend who doesn't live with you is not a bad solution |
92 |
> either. |
93 |
> |
94 |
> > Really the only thing we're missing with the Nitrokey is some form of |
95 |
> > attestation to ensure the keys are in fact generated on the device. |
96 |
> |
97 |
> That would indeed be nice to have, unfortunately I do not think the |
98 |
> current hardware supports this. I know recent YubiKeys do but only in |
99 |
> PIV mode (i.e. for X.509). |
100 |
> |
101 |
> On the other hand, vulnerabilities such as ROCA show clearly that |
102 |
> generating the private key on a smartcard does NOT necessarily make it |
103 |
> more secure than generating it in software, importing it into the |
104 |
> smartcard and wiping the original. |
105 |
> |
106 |
> -- |
107 |
> MS |
108 |
> |
109 |
> |