1 |
On Mon, Feb 18, 2019 at 02:22:56PM +0100, Michał Górny wrote: |
2 |
> > It could also be a bad actor, though that comes with other concerns. |
3 |
> > The CAFF method is the standard way of handling signatures, switching to |
4 |
> > ldap also switches our trust store to be based on ldap, not developer |
5 |
> > keys (anything can be in ldap). |
6 |
> > |
7 |
> |
8 |
> As Kristian named it, could you please explain to me what specific |
9 |
> threat model does this address? |
10 |
> |
11 |
> AFAIU the main purpose of the caff model is to verify that the person |
12 |
> whose key you are signing can access the particular e-mail address. |
13 |
> Which certainly makes sense when you are signing an arbitrary key. |
14 |
> However, I don't really see how that's relevant here, and I'd rather |
15 |
> not add needless complexity based on cargo cult imitation of caff. |
16 |
> |
17 |
> In our case, the key fingerprint comes from LDAP, and is directly bound |
18 |
> to the particular username, therefore mailbox. I don't really see it |
19 |
> a likely case that someone would be able to edit developer's LDAP |
20 |
> attributes but at the same time be unable to access his mailbox. |
21 |
> |
22 |
> In other words, as I see it, the caff model can help if: |
23 |
Thanks for expounding on the list of issues. I think this covers |
24 |
all/most of the cases I had in my head. |
25 |
|
26 |
> 1) someone manages to compromise LDAP without compromising e-mail |
27 |
> service, |
28 |
- Compromising email has a couple of routes: |
29 |
1. Getting into dev.gentoo.org (SSH creds). |
30 |
Either lets you see mail directly there, or edit the forward. |
31 |
OR |
32 |
2. If a dev has their mail forwarded, you can also compromise |
33 |
somewhere else in the forwarding chain. |
34 |
- Compromising LDAP requires: |
35 |
1. A shell in a larger set of machines (need SSH creds to any user on hosts that are LDAP clients) |
36 |
AND |
37 |
2. A LDAP password with suitable power (note that the SSH creds and |
38 |
LDAP password could be from different compromised users), which means |
39 |
either the target, or the LDAP password of somebody in |
40 |
comrel/recruiters/infra. |
41 |
|
42 |
> 2) a developer accidentally puts the wrong fingerprint in LDAP, |
43 |
This has happened before; esp w/ devs putting subkeys into LDAP. If not |
44 |
in-band with this proposal (e.g. CAFF), can we see some other validation |
45 |
for the keys? |
46 |
|
47 |
> 3) a developer has broken e-mail setup, |
48 |
> |
49 |
> 4) a developer is inactive. |
50 |
> |
51 |
> I think cases 1)-3) are rather unlikely, and 2)-3) belong to |
52 |
> the 'wrong place to solve the problem' category. 4) practically relies |
53 |
> on making an assumption that we don't want users to trust developers who |
54 |
> aren't active enough to add this signature. |
55 |
|
56 |
3) would be good to detect on the less-active devs, and gives good |
57 |
life-signs to undertakers. |
58 |
|
59 |
> The other side of this is added complexity on the scripting side, for |
60 |
> a start. We need to store to whom we sent signatures to avoid resending |
61 |
> them over and over again. Then, we need to able to force resending if |
62 |
> the developer lost the mail for some reason. |
63 |
Save the signature to a file, email the file, retain the file for |
64 |
record-keeping, resend the file until they do something about it. I |
65 |
think the CAFF codebase does already support this variant to not |
66 |
regenerate pending signatures. |
67 |
|
68 |
> Finally, there will be at least a few developers who won't be covered by |
69 |
> this because they won't care enough to add the signature to their key. |
70 |
> |
71 |
> My original goal was to cover all active developers because users might |
72 |
> have their reasons to contact any of the developers, and I don't see any |
73 |
> reason to exclude anyone from this. It's not equivalent to giving |
74 |
> people access to any system, privileges to perform any specific action. |
75 |
Users sending mail to an unverified key seems like a concern to me. |
76 |
|
77 |
> It's mostly about confirming which OpenPGP key should be used to send |
78 |
> mail to a particular e-mail address. The same as if you went to |
79 |
> the developer listing and checked key IDs there, except more automated |
80 |
> and using a single authority key rather than PKI for verification |
81 |
> (though at least initially the authority key would itself be verified |
82 |
> against PKI). |
83 |
Related codepath not discussed yet: |
84 |
- detect keys REMOVED from ldap and generate revoke of signature on those. |
85 |
|
86 |
-- |
87 |
Robin Hugh Johnson |
88 |
Gentoo Linux: Dev, Infra Lead, Foundation Treasurer |
89 |
E-Mail : robbat2@g.o |
90 |
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 |
91 |
GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136 |