| 1 |
On Sun, Feb 24, 2019 at 9:14 AM Michał Górny <mgorny@g.o> wrote: |
| 2 |
|
| 3 |
> --- |
| 4 |
> glep-9999.rst | 359 ++++++++++++++++++++++++++++++++++++++++++++++++++ |
| 5 |
> 1 file changed, 359 insertions(+) |
| 6 |
> create mode 100644 glep-9999.rst |
| 7 |
> |
| 8 |
> diff --git a/glep-9999.rst b/glep-9999.rst |
| 9 |
> new file mode 100644 |
| 10 |
> index 0000000..d66398b |
| 11 |
> --- /dev/null |
| 12 |
> +++ b/glep-9999.rst |
| 13 |
> @@ -0,0 +1,359 @@ |
| 14 |
> +--- |
| 15 |
> +GLEP: 9999 |
| 16 |
> +Title: Gentoo OpenPGP Authority Keys |
| 17 |
> +Author: Michał Górny <mgorny@g.o> |
| 18 |
> +Type: Standards Track |
| 19 |
> +Status: Draft |
| 20 |
> +Version: 1 |
| 21 |
> +Created: 2019-02-24 |
| 22 |
> +Last-Modified: 2019-02-24 |
| 23 |
> +Post-History: |
| 24 |
> +Content-Type: text/x-rst |
| 25 |
> +Requires: 63 |
| 26 |
> +--- |
| 27 |
> + |
| 28 |
> +Abstract |
| 29 |
> +======== |
| 30 |
> +This GLEP proposes using Authority Keys to provide developer key |
| 31 |
> +validity proofs that are compatible with web of trust. The signatures |
| 32 |
> +on ``@gentoo.org`` UIDs are automatically maintained, and user can |
| 33 |
> +follow the current set of valid keys by importing and trusting a single |
| 34 |
> +Authority Key. The system operates within standard features of GnuPG |
| 35 |
> +and requires only minimal setup from the user. |
| 36 |
> + |
| 37 |
> + |
| 38 |
> +Motivation |
| 39 |
> +========== |
| 40 |
> +All the recent efforts on improving OpenPGP usage in Gentoo were focused |
| 41 |
> +on internal usage and distribution. The existing policies and tooling |
| 42 |
> +are sufficient to account for verify specific usage, including commit |
| 43 |
> +signing (with both internal and user-oriented verification via custom |
| 44 |
> +tools) or release media verification. However, they do not provide |
| 45 |
> +for rapid OpenPGP deployment for secure communications usage. |
| 46 |
> + |
| 47 |
> +The Gentoo webservers distribute both convenient key bundles |
| 48 |
> +and individual keys via Web Key Directory. While in both cases |
| 49 |
> +the transfer is secured via HTTPS, providing authenticity verification |
| 50 |
> +via PKI/DNSSEC, those channels are meant to *distribute* the keys |
| 51 |
> +and not provide implicit guarantees on their *validity*. For example, |
| 52 |
> +they provide no guarantees that the user identifiers on the keys are |
| 53 |
> +legitimate. [#KEY-BUNDLES]_ |
| 54 |
> + |
| 55 |
> +Internally, Gentoo's LDAP directory serves as the canonical source |
| 56 |
> +of information on key validity. It stores a list of key fingerprints |
| 57 |
> +for each Gentoo developers, and therefore allows the system to establish |
| 58 |
> +which keys are acceptable in context of a specific developer. However, |
| 59 |
> +the LDAP directory is not available to the public and therefore is only |
| 60 |
> +suitable for internal infrastructure use. [#LDAP-GUIDE]_ |
| 61 |
> + |
| 62 |
> +The Gentoo website is focused on service keys and not individual |
| 63 |
> +developer keys. While it could easily be amended with full fingerprints |
| 64 |
> +of all developer keys, the necessity of manually verifying such a large |
| 65 |
> +number of keys would be inconvenient to the end user. |
| 66 |
> +[#WWW-SIGNATURES]_ |
| 67 |
> + |
| 68 |
> +The key package provided in the Gentoo repository is also focused |
| 69 |
> +on service keys, and has limited value in verifying key validity |
| 70 |
> +(currently, it assumes all UIDs on all keys in the keyring are valid). |
| 71 |
> +Providing a package with developer keys would both require frequent |
| 72 |
> +semi-manual updates, and establishing a more precise validity model. |
| 73 |
> +[#KEY-PACKAGE]_ |
| 74 |
> + |
| 75 |
> +Gentoo-keys project provides so-called seed files that carry enough |
| 76 |
> +information to establish key validity, and are authenticated via HTTPS. |
| 77 |
> +However, they rely on installing custom software that does not integrate |
| 78 |
> +well with regular use of GnuPG e.g. in mail clients, and that is not |
| 79 |
> +easily usable in other systems. [#GENTOO-KEYS]_ |
| 80 |
> + |
| 81 |
> +The Authority Key proposal aims to provide a more standard way of |
| 82 |
> +establishing validity of Gentoo developer keys. It builds upon the web |
| 83 |
> +of trust model, requiring no special software and minimal setup from end |
| 84 |
> +users. |
| 85 |
> + |
| 86 |
> + |
| 87 |
> +Specification |
| 88 |
> +============= |
| 89 |
> +Purpose and usage |
| 90 |
> +----------------- |
| 91 |
> +The purpose of the Authority Keys is to provide an automatically issued |
| 92 |
> +signatures on Gentoo developer OpenPGP keys, based on the information |
| 93 |
> +provided internally in the Gentoo LDAP directory. The service |
| 94 |
> +is provided for all active Gentoo developers, from the moment of their |
| 95 |
> +recruitment. |
| 96 |
> + |
| 97 |
> +Whenever a developer account is created, reactivated, renamed or has |
| 98 |
> +a new key fingerprint added, a signature is automatically created |
| 99 |
> +on the appropriate ``@gentoo.org`` UIDs and pushed to the keyservers. |
| 100 |
> +Whenever an old signature expires, a new one is automatically created. |
| 101 |
> +Whenever a developer account is disabled, renamed or has a fingerprint |
| 102 |
> +removed, the signatures from obsolete UIDs are automatically revoked. |
| 103 |
> + |
| 104 |
> +The signatures are issued only on the UIDs matching the Gentoo |
| 105 |
> +developer's ``@gentoo.org`` mailbox address, on keys whose primary key |
| 106 |
> +fingerprints are listed in Gentoo LDAP ``gpgfingerprint`` records. Keys |
| 107 |
> +missing such an UID are ignored. **Names on the relevant user |
| 108 |
> +identifiers are not verified**. The signatures are issued with |
| 109 |
> +an expiration date of 1 year from being issued. |
| 110 |
> + |
| 111 |
> + |
| 112 |
> +L1 and L2 keys |
| 113 |
> +-------------- |
| 114 |
> +The Authority Keys are issued in two layers, appropriately called L1 |
| 115 |
> +and L2. |
| 116 |
> + |
| 117 |
> +The single L1 Authority Key is used only to (manually) certify the L2 |
| 118 |
> +Keys, and is kept securely offline following the Infrastructure policies |
| 119 |
> +on protecting primary keys. The fingerprint of this key is published |
| 120 |
> +on the Gentoo website and users are requested to sign this key to enable |
| 121 |
> +key validity via Authority Keys. |
| 122 |
> |
| 123 |
+ |
| 124 |
> +The L2 Authority Keys are used directly to sign developer keys. Since |
| 125 |
> +they are used in an automated service, they are exposed to attacks. |
| 126 |
> +They are trust-signed by the L1 key and can be revoked and rotated more |
| 127 |
> +frequently than the L1 key. |
| 128 |
> + |
| 129 |
> +This dual-layer model aims to combine improved security with user |
| 130 |
> +convenience. While the individual Gentoo keys are signed by the L2 key, |
| 131 |
> +the users sign only the L1 key and the validity is established via chain |
| 132 |
> +L1 → L2 → developer key. This makes it possible to replace the L2 key |
| 133 |
> +if it ever becomes compromised without requiring the users to |
| 134 |
> +reestablish trust. Since the replacement key will be also signed |
| 135 |
> +by the L1 key (provided that it was not compromised), the validity |
| 136 |
> +of developer keys will remain established. |
| 137 |
> + |
| 138 |
> + |
| 139 |
> +Validating the L1 key |
| 140 |
> +--------------------- |
| 141 |
> +Establishing the authenticity of the L1 Authority Key is essential |
| 142 |
> +to the system. Initially, the users will be able to determine |
| 143 |
> +the authenticity via comparing the key fingerprint with the one |
| 144 |
> +published on the website. This will shift the authenticity verification |
| 145 |
> +to HTTPS (PKI/DNSSEC). |
| 146 |
> + |
| 147 |
> +However, at the same time users are encouraged to sign the key upon |
| 148 |
> +verifying it. This will effectively make it possible to establish key's |
| 149 |
> +validity via OpenPGP web of trust. |
| 150 |
> |
| 151 |
|
| 152 |
Is the L1 specific to signing packages, or does it have other duties? |
| 153 |
|
| 154 |
|
| 155 |
> + |
| 156 |
> + |
| 157 |
> +Rationale |
| 158 |
> +========= |
| 159 |
> +Authority Key model vs web of trust |
| 160 |
> +----------------------------------- |
| 161 |
> +The regular web of trust model relies on individuals verifying |
| 162 |
> +the Gentoo developer identity and access to the particular |
| 163 |
> +``@gentoo.org`` e-mail address. The particular UID is considered valid |
| 164 |
> +if a sufficient number of people trusted by the user in question have |
| 165 |
> +confirmed the developer's identity. This specifically relies on being |
| 166 |
> +able to establish a chain of trust between the developer and user. |
| 167 |
> + |
| 168 |
> +At the moment, many of the existing Gentoo developers did not even |
| 169 |
> +stablish a chain of trust between one another, not to mention establish |
| 170 |
> |
| 171 |
|
| 172 |
establish |
| 173 |
|
| 174 |
|
| 175 |
> +web of trust coverage that would make it feasible for users to reach any |
| 176 |
> +specific developer. Efforts towards improving that were rejected |
| 177 |
> +by the developers, mostly based on argumentation that many developers |
| 178 |
> +find it impossible to meet any other community member for the purpose |
| 179 |
> +of identity verification. |
| 180 |
> + |
| 181 |
> +The Authority Key model, on the other hand, assumes that there is |
| 182 |
> +a single trusted authority that verifies Gentoo developers' keys. |
| 183 |
> +The user verifies the key representing this authority and trusts it. |
| 184 |
> +The validity of keys used by all developers is established via a single |
| 185 |
> +point of trust. |
| 186 |
> + |
| 187 |
> +The procedure of establishing the validity of a specific key does not |
| 188 |
> +involve the necessity of meeting anyone or verifying identity. While |
| 189 |
> +the validity is exposed in a manner compatible with web of trust, it is |
| 190 |
> +verified against LDAP which implicitly proves authenticity of the keys. |
| 191 |
> + |
| 192 |
> +Therefore, the Authority Key model is much easier to set up. The user |
| 193 |
> +merely needs to verify a single key and trust it, while pure WoT would |
| 194 |
> +probably require trusting multiple third party identities. It is also |
| 195 |
> +more secure as it limits the attack vector to a single key rather than |
| 196 |
> +one of potentially large number of keys that need to be trusted by |
| 197 |
> +the user. If the user decides to stop trusting ``@gentoo.org`` UIDs, |
| 198 |
> +the validity can easily be reverted by disabling the single Authority |
| 199 |
> +Key. |
| 200 |
> |
| 201 |
|
| 202 |
Yeah I like the revocation a lot better in this proposal, the previous one |
| 203 |
seemed a bit impractical. |
| 204 |
|
| 205 |
|
| 206 |
> + |
| 207 |
> + |
| 208 |
> +Authority Key vs gentoo-keys |
| 209 |
> +---------------------------- |
| 210 |
> +The gentoo-keys project provides seed data that is sufficient to verify |
| 211 |
> +the authenticity of the keys. However, this data uses entirely custom |
| 212 |
> +format and therefore requires special tooling to process. This tooling |
| 213 |
> +has not been packaged for any other Linux distribution or operating |
| 214 |
> +system, and is non-trivial to install as unprivileged user. |
| 215 |
> + |
| 216 |
> +The Authority Key model is based entirely on built-in GnuPG features. |
| 217 |
> +It does not require any special tooling to run. The necessary bootstrap |
| 218 |
> +can be done manually via GnuPG command-line facilities. Eventually, |
| 219 |
> +even that may become unnecessary if the Authority Key is covered via |
| 220 |
> +web of trust. |
| 221 |
> |
| 222 |
+ |
| 223 |
> +Furthermore, gentoo-keys seed data currently requires manual updates. |
| 224 |
> +The Authority Key system is automated, and therefore subject to smaller |
| 225 |
> +delays in operation. |
| 226 |
> + |
| 227 |
> + |
| 228 |
> +Developer coverage |
| 229 |
> +------------------ |
| 230 |
> +In the original proposal, it was debated whether new developers should |
| 231 |
> +be subject to grace period during which their keys would not be signed. |
| 232 |
> +However, no arguments were brought to support such a period, |
| 233 |
> +and therefore the GLEP assumes all developers are covered as long |
| 234 |
> +as they are considered active Gentoo developers. |
| 235 |
> + |
| 236 |
> +Since only ``@gentoo.org`` e-mail addresses are under Gentoo control |
| 237 |
> +and developer identities outside the distribution are outside the scope |
| 238 |
> +of this project, only UIDs matching the respective developer addresses |
| 239 |
> +are signed. This is meant to prevent the developers from forging |
| 240 |
> +somebody else's identity. |
| 241 |
> + |
| 242 |
> +The developers' real names are not verified. Firstly, the purpose |
| 243 |
> +of this project is to establish association between keys and specific |
| 244 |
> +Gentoo developers, whose primary identification is the nickname used |
| 245 |
> +in Gentoo. The exact real name is irrelevant to the validity in this |
| 246 |
> +context. Secondly, comparing real names between LDAP and user |
| 247 |
> +identifiers would be non-trivial and most likely cause a number of |
| 248 |
> +developers being silently rejected due to e.g. modified name spelling. |
| 249 |
> + |
| 250 |
> + |
| 251 |
> +caff verification model |
| 252 |
> +----------------------- |
| 253 |
> +During the initial debate, using a model similar to Debian's caff tool |
| 254 |
> +was suggested. In this model, new signatures are sent encrypted |
| 255 |
> +to the developers rather than uploaded straight to keyservers. |
| 256 |
> +Developers need to decrypt and add them to their keys themselves. |
| 257 |
> +[#CAFF]_ |
| 258 |
> + |
| 259 |
> +The main purpose of the caff model is to assist users in verifying |
| 260 |
> +e-mail addresses of the UIDs they are about to sign. By sending |
| 261 |
> +an encrypted e-mail, this model verifies that the recipient is both |
| 262 |
> +able to receive mail at a specific address and decrypt messages |
| 263 |
> +encrypted using the specified key. Since the message contains complete |
| 264 |
> +signature ready to be imported, the key signing process can be completed |
| 265 |
> +entirely by the recipient and the sender does not need to be concerned |
| 266 |
> +past sending it. |
| 267 |
> + |
| 268 |
> +However, there seems to be no clear reason to employ this model here. |
| 269 |
> +A reasonable assumption can be made that if one is able to access |
| 270 |
> +the LDAP directory as a particular Gentoo developer, one is also able |
| 271 |
> +to access the developer's mailbox. This considered, verifying |
| 272 |
> +the e-mail address in caff fashion is redundant. |
| 273 |
> + |
| 274 |
> +Furthermore, implementing this model increases complexity both server- |
| 275 |
> +and client-side. The server would need to be entirely stateful to avoid |
| 276 |
> +sending duplicate mails, and at the same time it would need to permit |
| 277 |
> +re-requesting signature e-mails. The developers would need to manually |
| 278 |
> +import the signature and send it to keyservers. |
| 279 |
> + |
| 280 |
> +It is quite probable that some of the less active developers would be |
| 281 |
> +permanently excluded by being unaware or uninterested in participating |
| 282 |
> +in the new system. Furthermore, signature expirations would cause |
| 283 |
> +potentially extensive periods of key invalidity to occur (between |
| 284 |
> +signature expiration and import of the new one). During those periods, |
| 285 |
> +users' ability to mail developers securely would be hindered. |
| 286 |
> + |
| 287 |
> + |
| 288 |
> +Dual-layer model |
| 289 |
> +---------------- |
| 290 |
> +The dual-layer Authority Key model is established in order to combine |
| 291 |
> +security with needed automation. The L1 Key provides higher level |
| 292 |
> +of security, at the cost of requiring manual operation. The L2 Keys are |
| 293 |
> +suitable for automated use but that implies they're exposed to attacks. |
| 294 |
> + |
| 295 |
> +If the model was based on a single key and that key was compromised, |
| 296 |
> +the key would have to be revoked and replaced with a new one. All users |
| 297 |
> +would have to fetch the new key and validate it independently to restore |
| 298 |
> +the developer key validity. |
| 299 |
> + |
| 300 |
> +Using two keys introduces a middle link in the trust chain that can be |
| 301 |
> +replaced easily. Users trust the L1 Key which is unlikely to be |
| 302 |
> +compromised. The trust on L2 Key is implicitly provided by the L1 Key, |
| 303 |
> +and users do not need to be specifically concerned about it. If L2 Key |
| 304 |
> +is compromised, the Infrastructure developers can replace it and restore |
| 305 |
> +the trust via (non-compromised) L1 Key. Users only have to fetch |
| 306 |
> +the new key and validity is restored. |
| 307 |
> + |
| 308 |
> + |
| 309 |
> +Security considerations |
| 310 |
> +----------------------- |
| 311 |
> +The user needs to be able to verify the authenticity of the L1 Key. |
| 312 |
> +This can be done in one of two ways: |
| 313 |
> + |
| 314 |
> +a. via comparing the fingerprint against the record on Gentoo website. |
| 315 |
> + This relies on the security of Gentoo web servers, and the website |
| 316 |
> + content repository. From user side, authenticity relies on PKI |
| 317 |
> + and/or DNSSEC, and possibly any other future HTTPS protection |
| 318 |
> + mechanisms. |
| 319 |
> + |
| 320 |
> +b. via web of trust, provided the user trusts someone who verified |
| 321 |
> + the key first. In this case, the authenticity relies entirely |
| 322 |
> + on the web of trust model, and is subject to attacks specific to it |
| 323 |
> + (e.g. to wrongly trusting a malicious person). |
| 324 |
> + |
| 325 |
> +The L1 Key itself is protected from being compromised via current |
| 326 |
> +Infrastructure best practices. At this moment, this involves password |
| 327 |
> +protection and offline storage. If the key ever becomes compromised, |
| 328 |
> +the procedures involve revoking it and announcing the problem. |
| 329 |
> + |
| 330 |
> +The L2 Keys lack this kind of protection by design. If they become |
| 331 |
> +compromised, the procedure involves revoking the key quickly |
| 332 |
> +and replacing it with a new one. |
| 333 |
> + |
| 334 |
> +In both cases, the revocation procedure relies on the user periodically |
| 335 |
> +refreshing keys against reliable sources. Typically this involves using |
| 336 |
> +SKS keyservers over HKPS which in turn relies on PKI to prevent a third |
| 337 |
> +party from intercepting propagation of revocations. |
| 338 |
> + |
| 339 |
> +The validity of developer key UIDs is established via signatures made |
| 340 |
> +by the L2 Key. If UIDs become no longer valid, the signatures are |
| 341 |
> +revoked in order to invalidate them. This also relies on users |
| 342 |
> +periodically pulling keyservers for developer key updates. |
| 343 |
> + |
| 344 |
> +Additionally, signatures are made with one year expiration time. |
| 345 |
> +In the extremely unlikely case of scripts failing to revoke |
| 346 |
> +the particular signature, it will expire automatically. |
| 347 |
> + |
| 348 |
> + |
| 349 |
> +Backwards Compatibility |
| 350 |
> +======================= |
| 351 |
> +This proposal is established independently of existing solutions, |
| 352 |
> +and does not affect them. |
| 353 |
> + |
| 354 |
> + |
| 355 |
> +Reference Implementation |
| 356 |
> +======================== |
| 357 |
> +The reference tooling for maintaining Authority Key signatures is |
| 358 |
> +published as gentoo-authority-key project. [#GENTOO-AUTHORITY-KEY]_ |
| 359 |
> + |
| 360 |
> + |
| 361 |
> +References |
| 362 |
> +========== |
| 363 |
> +.. [#KEY-BUNDLES] Directory listing including .gpg key bundles |
| 364 |
> + (https://qa-reports.gentoo.org/output/) |
| 365 |
> + |
| 366 |
> +.. [#LDAP-GUIDE] Project:Infrastructure/LDAP Guide - Gentoo Wiki |
| 367 |
> + (https://wiki.gentoo.org/wiki/Project:Infrastructure/LDAP_Guide) |
| 368 |
> + |
| 369 |
> +.. [#WWW-SIGNATURES] Release media signatures - Gentoo Linux |
| 370 |
> + (https://www.gentoo.org/downloads/signatures/) |
| 371 |
> + |
| 372 |
> +.. [#KEY-PACKAGE] app-crypt/openpgp-keys-gentoo-release – Gentoo Packages |
| 373 |
> + ( |
| 374 |
> https://packages.gentoo.org/packages/app-crypt/openpgp-keys-gentoo-release |
| 375 |
> ) |
| 376 |
> + |
| 377 |
> +.. [#GENTOO-KEYS] Project:Gentoo-keys - Gentoo Wiki |
| 378 |
> + (https://wiki.gentoo.org/wiki/Project:Gentoo-keys) |
| 379 |
> + |
| 380 |
> +.. [#CAFF] caff - Debian Wiki |
| 381 |
> + (https://wiki.debian.org/caff) |
| 382 |
> + |
| 383 |
> +.. [#GENTOO-AUTHORITY-KEY] mgorny/gentoo-authority-key: Script to |
| 384 |
> + automatically sign developer keys using OpenPGP authority key |
| 385 |
> + (https://github.com/mgorny/gentoo-authority-key) |
| 386 |
> + |
| 387 |
> + |
| 388 |
> +Copyright |
| 389 |
> +========= |
| 390 |
> +This work is licensed under the Creative Commons Attribution-ShareAlike |
| 391 |
> 3.0 |
| 392 |
> +Unported License. To view a copy of this license, visit |
| 393 |
> +http://creativecommons.org/licenses/by-sa/3.0/. |
| 394 |
> -- |
| 395 |
> 2.21.0.rc2 |
| 396 |
> |
| 397 |
> |
| 398 |
> |
Archives