| 1 |
On Mon, Feb 18, 2019 at 02:22:56PM +0100, Michał Górny wrote: |
| 2 |
> > It could also be a bad actor, though that comes with other concerns. |
| 3 |
> > The CAFF method is the standard way of handling signatures, switching to |
| 4 |
> > ldap also switches our trust store to be based on ldap, not developer |
| 5 |
> > keys (anything can be in ldap). |
| 6 |
> > |
| 7 |
> |
| 8 |
> As Kristian named it, could you please explain to me what specific |
| 9 |
> threat model does this address? |
| 10 |
> |
| 11 |
> AFAIU the main purpose of the caff model is to verify that the person |
| 12 |
> whose key you are signing can access the particular e-mail address. |
| 13 |
> Which certainly makes sense when you are signing an arbitrary key. |
| 14 |
> However, I don't really see how that's relevant here, and I'd rather |
| 15 |
> not add needless complexity based on cargo cult imitation of caff. |
| 16 |
> |
| 17 |
> In our case, the key fingerprint comes from LDAP, and is directly bound |
| 18 |
> to the particular username, therefore mailbox. I don't really see it |
| 19 |
> a likely case that someone would be able to edit developer's LDAP |
| 20 |
> attributes but at the same time be unable to access his mailbox. |
| 21 |
> |
| 22 |
> In other words, as I see it, the caff model can help if: |
| 23 |
Thanks for expounding on the list of issues. I think this covers |
| 24 |
all/most of the cases I had in my head. |
| 25 |
|
| 26 |
> 1) someone manages to compromise LDAP without compromising e-mail |
| 27 |
> service, |
| 28 |
- Compromising email has a couple of routes: |
| 29 |
1. Getting into dev.gentoo.org (SSH creds). |
| 30 |
Either lets you see mail directly there, or edit the forward. |
| 31 |
OR |
| 32 |
2. If a dev has their mail forwarded, you can also compromise |
| 33 |
somewhere else in the forwarding chain. |
| 34 |
- Compromising LDAP requires: |
| 35 |
1. A shell in a larger set of machines (need SSH creds to any user on hosts that are LDAP clients) |
| 36 |
AND |
| 37 |
2. A LDAP password with suitable power (note that the SSH creds and |
| 38 |
LDAP password could be from different compromised users), which means |
| 39 |
either the target, or the LDAP password of somebody in |
| 40 |
comrel/recruiters/infra. |
| 41 |
|
| 42 |
> 2) a developer accidentally puts the wrong fingerprint in LDAP, |
| 43 |
This has happened before; esp w/ devs putting subkeys into LDAP. If not |
| 44 |
in-band with this proposal (e.g. CAFF), can we see some other validation |
| 45 |
for the keys? |
| 46 |
|
| 47 |
> 3) a developer has broken e-mail setup, |
| 48 |
> |
| 49 |
> 4) a developer is inactive. |
| 50 |
> |
| 51 |
> I think cases 1)-3) are rather unlikely, and 2)-3) belong to |
| 52 |
> the 'wrong place to solve the problem' category. 4) practically relies |
| 53 |
> on making an assumption that we don't want users to trust developers who |
| 54 |
> aren't active enough to add this signature. |
| 55 |
|
| 56 |
3) would be good to detect on the less-active devs, and gives good |
| 57 |
life-signs to undertakers. |
| 58 |
|
| 59 |
> The other side of this is added complexity on the scripting side, for |
| 60 |
> a start. We need to store to whom we sent signatures to avoid resending |
| 61 |
> them over and over again. Then, we need to able to force resending if |
| 62 |
> the developer lost the mail for some reason. |
| 63 |
Save the signature to a file, email the file, retain the file for |
| 64 |
record-keeping, resend the file until they do something about it. I |
| 65 |
think the CAFF codebase does already support this variant to not |
| 66 |
regenerate pending signatures. |
| 67 |
|
| 68 |
> Finally, there will be at least a few developers who won't be covered by |
| 69 |
> this because they won't care enough to add the signature to their key. |
| 70 |
> |
| 71 |
> My original goal was to cover all active developers because users might |
| 72 |
> have their reasons to contact any of the developers, and I don't see any |
| 73 |
> reason to exclude anyone from this. It's not equivalent to giving |
| 74 |
> people access to any system, privileges to perform any specific action. |
| 75 |
Users sending mail to an unverified key seems like a concern to me. |
| 76 |
|
| 77 |
> It's mostly about confirming which OpenPGP key should be used to send |
| 78 |
> mail to a particular e-mail address. The same as if you went to |
| 79 |
> the developer listing and checked key IDs there, except more automated |
| 80 |
> and using a single authority key rather than PKI for verification |
| 81 |
> (though at least initially the authority key would itself be verified |
| 82 |
> against PKI). |
| 83 |
Related codepath not discussed yet: |
| 84 |
- detect keys REMOVED from ldap and generate revoke of signature on those. |
| 85 |
|
| 86 |
-- |
| 87 |
Robin Hugh Johnson |
| 88 |
Gentoo Linux: Dev, Infra Lead, Foundation Treasurer |
| 89 |
E-Mail : robbat2@g.o |
| 90 |
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 |
| 91 |
GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136 |
Archives