1 |
On Mon, Apr 29, 2019 at 11:10 AM Matthew Thode |
2 |
<prometheanfire@g.o> wrote: |
3 |
> |
4 |
> On 19-04-28 21:46:24, Rich Freeman wrote: |
5 |
> > On Sun, Apr 28, 2019 at 6:42 PM Thomas Deutschmann <whissi@g.o> wrote: |
6 |
> > > |
7 |
> > > Please respond to this message with agenda items. Do not hesitate to |
8 |
> > > repeat your agenda item here with a pointer if you previously |
9 |
> > > suggested one (since the last meeting). |
10 |
> > > |
11 |
> > |
12 |
> > I would like the council to consider my patch to GLEP 63 to allow a |
13 |
> > single combined primary/signing key when the key is stored on a |
14 |
> > smartcard, so that keys may be generated on a Nitrokey without relying |
15 |
> > on a primary key maintained offline in software, which I think will |
16 |
> > not happen much in practice. This should increase the security of |
17 |
> > signing keys by reducing handling or even storage of primary keys on |
18 |
> > internet-connected hosts (which the GLEP already allows for). |
19 |
> > |
20 |
> > Patch and discussion at: |
21 |
> > https://archives.gentoo.org/gentoo-dev/message/d05070a200e4f5858642d308d9b3e39f |
22 |
> |
23 |
> My main concern here is devs needing to re-establish their keys with |
24 |
> infra in a trusted maner when the key is lost/stolen or otherwise |
25 |
> defunct. Re-establishing that trust may be outside the scope of this |
26 |
> request though. |
27 |
> |
28 |
|
29 |
Probably better to discuss in the other thread, but re-establishing |
30 |
the key is just a matter of logging into dev.gentoo.org and changing |
31 |
your fingerprint. I just did it the other week to create a new key |
32 |
for the nitrokey. That issue exists with software keys as well, |
33 |
though I will concede that it is possible to back up a software key, |
34 |
and it is not possible to do this if it is generated on a smartcard. |
35 |
|
36 |
The main downsides to having your primary key generated on a smartcard |
37 |
and losing it are: |
38 |
1. You do need to generate a new key and change the fingerprint on |
39 |
dev.gentoo.org. In practice the root of our security isn't actually |
40 |
the gpg key but the ssh key, and ldap password. |
41 |
2. You lose any WoT signatures from other devs or individuals on your |
42 |
gpg key. You will regain the signoff from infra when you change your |
43 |
key in LDAP. |
44 |
3. You lose the ability to decrypt any data that you are storing |
45 |
encrypted to your lost key. If you do use the key for encryption then |
46 |
it would be better to either have a backup for this key, or to archive |
47 |
this data unencrypted or encrypted with a key you can recover (the |
48 |
latter isn't an equivalent problem, because you can encrypt that using |
49 |
a key you never need to routinely use, and can also choose to encrypt |
50 |
that data with multiple keys so that even if stored on hardware you |
51 |
could have backups in practice). |
52 |
|
53 |
I will also note, that the current GLEP already allows generating |
54 |
primary keys on a smartcard, and thus already exposes us to the issue |
55 |
of key loss without the possibility of backups. It just requires two |
56 |
different smartcards to accomplish, unless there is some way to hack |
57 |
gpg to use an authentication key for the signing or primary role. The |
58 |
change is to allow a single combined primary/signing key when it is |
59 |
generated on hardware, the existing policy says nothing about |
60 |
maintaining backups of the primary key. |
61 |
|
62 |
I would really suggest that the hardware-only key is most appropriate |
63 |
when you're only signing commits, and not depending on a WoT. |
64 |
However, in practice for most devs I think this is going to end up |
65 |
being more secure than how they would otherwise end up managing their |
66 |
keys (either not using hardware at all, or keeping their primary key |
67 |
online, which basically defeats the point of having the hardware). |
68 |
|
69 |
-- |
70 |
Rich |