| 1 |
On Fri, Nov 15, 2013 at 01:51:32PM -0500, Rick "Zero_Chaos" Farina wrote: |
| 2 |
> On 11/15/2013 01:23 AM, Robin H. Johnson wrote: |
| 3 |
> > You crossed sections, but let's collapse both to: |
| 4 |
> > |
| 5 |
> > Bare minimum requirements: |
| 6 |
> > 3. Key expiry: 6 months min, 3 years max. |
| 7 |
> > Recommendations: |
| 8 |
> > 4.1. Root key: 6 months min, 3 year max; |
| 9 |
> > 4.2. Signing subkey: 3 months min, 1 year max; |
| 10 |
> > 4.3. For both keys, expiry date should always be update at least 1 month before expiry. |
| 11 |
> How are we planning on updating keys on user's systems to verify things? |
| 12 |
> I only ask because 3 months on the signing key means whatever we do |
| 13 |
> needs to happen *securely* every 3 months at most. So like, if we are |
| 14 |
> pushing an ebuild with a keyring then we have to update it every 2 |
| 15 |
> months so keys don't expire and then that would break if the user |
| 16 |
> doesn't update every 3 months... Might be an issue as we try as a whole |
| 17 |
> to keep systems updatable for 1 year. |
| 18 |
So some more details regarding how we plan to deploy keys is probably |
| 19 |
needed here. It was out of scope for the discussion about what keys |
| 20 |
should look like. |
| 21 |
|
| 22 |
There are a few parts to it: |
| 23 |
- gentoo-keys (lead by dolsen) |
| 24 |
This is a mostly infra-level tool that takes the data in LDAP, does |
| 25 |
validation, mixes in the keys from keyserver/homedir, and generates |
| 26 |
keyrings. |
| 27 |
- keyring packages: |
| 28 |
Thus far, based on the Debian keyring model, where keyrings of trusted |
| 29 |
keys are installed locally in /usr/share/keyrings/, and the package |
| 30 |
manager (or other tools) looks there for validation. I've got a few |
| 31 |
planned so far: |
| 32 |
$CAT/gentoo-dev-keyring |
| 33 |
$CAT/gentoo-releng-keyring |
| 34 |
$CAT/gentoo-master-keyring |
| 35 |
To ease the 1-year-updatability requirement, these three packages |
| 36 |
should explicitly be signed by the master key (and not a dev key), |
| 37 |
which has a much longer validity. This would always enable you to |
| 38 |
rsync, install the latest gentoo-dev-keyring, and then install other |
| 39 |
packages thereafter. |
| 40 |
- layman keyrings: |
| 41 |
dolsen is also working on allowing overlays to specify keyrings in the |
| 42 |
repositories.xml; there's a few unanswered questions about how to |
| 43 |
ensure nobody does MITM attacks on those keyrings (either convince the |
| 44 |
overlays admins to change the URL to the keyring, or simply intercept |
| 45 |
requests for the keyring itself). This maps to how Ubuntu's Launchpad |
| 46 |
handles keys for PPAs. |
| 47 |
|
| 48 |
TODO: |
| 49 |
We need a way for a given repo, once installed, to specify what keyrings |
| 50 |
to use for validation. I'm thinking of adding it to |
| 51 |
metadata/layout.conf. |
| 52 |
The main gentoo-x86 repo would have for example: |
| 53 |
keyrings = gentoo-master gentoo-releng gentoo-dev |
| 54 |
|
| 55 |
Overlays might have: |
| 56 |
keyrings = gentoo-overlay-mysql |
| 57 |
|
| 58 |
-- |
| 59 |
Robin Hugh Johnson |
| 60 |
Gentoo Linux: Developer, Trustee & Infrastructure Lead |
| 61 |
E-Mail : robbat2@g.o |
| 62 |
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 |
Archives