| 1 |
On Mon, Apr 29, 2019 at 11:10 AM Matthew Thode |
| 2 |
<prometheanfire@g.o> wrote: |
| 3 |
> |
| 4 |
> On 19-04-28 21:46:24, Rich Freeman wrote: |
| 5 |
> > On Sun, Apr 28, 2019 at 6:42 PM Thomas Deutschmann <whissi@g.o> wrote: |
| 6 |
> > > |
| 7 |
> > > Please respond to this message with agenda items. Do not hesitate to |
| 8 |
> > > repeat your agenda item here with a pointer if you previously |
| 9 |
> > > suggested one (since the last meeting). |
| 10 |
> > > |
| 11 |
> > |
| 12 |
> > I would like the council to consider my patch to GLEP 63 to allow a |
| 13 |
> > single combined primary/signing key when the key is stored on a |
| 14 |
> > smartcard, so that keys may be generated on a Nitrokey without relying |
| 15 |
> > on a primary key maintained offline in software, which I think will |
| 16 |
> > not happen much in practice. This should increase the security of |
| 17 |
> > signing keys by reducing handling or even storage of primary keys on |
| 18 |
> > internet-connected hosts (which the GLEP already allows for). |
| 19 |
> > |
| 20 |
> > Patch and discussion at: |
| 21 |
> > https://archives.gentoo.org/gentoo-dev/message/d05070a200e4f5858642d308d9b3e39f |
| 22 |
> |
| 23 |
> My main concern here is devs needing to re-establish their keys with |
| 24 |
> infra in a trusted maner when the key is lost/stolen or otherwise |
| 25 |
> defunct. Re-establishing that trust may be outside the scope of this |
| 26 |
> request though. |
| 27 |
> |
| 28 |
|
| 29 |
Probably better to discuss in the other thread, but re-establishing |
| 30 |
the key is just a matter of logging into dev.gentoo.org and changing |
| 31 |
your fingerprint. I just did it the other week to create a new key |
| 32 |
for the nitrokey. That issue exists with software keys as well, |
| 33 |
though I will concede that it is possible to back up a software key, |
| 34 |
and it is not possible to do this if it is generated on a smartcard. |
| 35 |
|
| 36 |
The main downsides to having your primary key generated on a smartcard |
| 37 |
and losing it are: |
| 38 |
1. You do need to generate a new key and change the fingerprint on |
| 39 |
dev.gentoo.org. In practice the root of our security isn't actually |
| 40 |
the gpg key but the ssh key, and ldap password. |
| 41 |
2. You lose any WoT signatures from other devs or individuals on your |
| 42 |
gpg key. You will regain the signoff from infra when you change your |
| 43 |
key in LDAP. |
| 44 |
3. You lose the ability to decrypt any data that you are storing |
| 45 |
encrypted to your lost key. If you do use the key for encryption then |
| 46 |
it would be better to either have a backup for this key, or to archive |
| 47 |
this data unencrypted or encrypted with a key you can recover (the |
| 48 |
latter isn't an equivalent problem, because you can encrypt that using |
| 49 |
a key you never need to routinely use, and can also choose to encrypt |
| 50 |
that data with multiple keys so that even if stored on hardware you |
| 51 |
could have backups in practice). |
| 52 |
|
| 53 |
I will also note, that the current GLEP already allows generating |
| 54 |
primary keys on a smartcard, and thus already exposes us to the issue |
| 55 |
of key loss without the possibility of backups. It just requires two |
| 56 |
different smartcards to accomplish, unless there is some way to hack |
| 57 |
gpg to use an authentication key for the signing or primary role. The |
| 58 |
change is to allow a single combined primary/signing key when it is |
| 59 |
generated on hardware, the existing policy says nothing about |
| 60 |
maintaining backups of the primary key. |
| 61 |
|
| 62 |
I would really suggest that the hardware-only key is most appropriate |
| 63 |
when you're only signing commits, and not depending on a WoT. |
| 64 |
However, in practice for most devs I think this is going to end up |
| 65 |
being more secure than how they would otherwise end up managing their |
| 66 |
keys (either not using hardware at all, or keeping their primary key |
| 67 |
online, which basically defeats the point of having the hardware). |
| 68 |
|
| 69 |
-- |
| 70 |
Rich |
Archives