| 1 |
I will probably end up repeating a lot of what mgorny has said later, but |
| 2 |
I'll try to be concise ;) |
| 3 |
|
| 4 |
I want to start with a premise, which is that most users don't have a trust |
| 5 |
web, and so saying things like "we should build a web this way" or "users |
| 6 |
should use a web" is self-defeating, our target userbase doesn't have one. |
| 7 |
|
| 8 |
On Sun, Mar 10, 2019 at 12:53 PM Thomas Deutschmann <whissi@g.o> |
| 9 |
wrote: |
| 10 |
|
| 11 |
> Hi, |
| 12 |
> |
| 13 |
> I know I am late but... |
| 14 |
> |
| 15 |
> 1) I still don't understand the motivation for this. What will |
| 16 |
> change/improve/be possible in future vs. status quo? |
| 17 |
> |
| 18 |
> 2) This sounds like a blackbox only a few people know/understand: |
| 19 |
> |
| 20 |
|
| 21 |
> > +The single L1 Authority Key is used only to (manually) certify the L2 |
| 22 |
> > +Keys, and is kept securely offline following the Infrastructure policies |
| 23 |
> > +on protecting primary keys. |
| 24 |
> |
| 25 |
> However, the L1 key is critical, especially if all devs will sign that |
| 26 |
> key. E.g. this will allow people with access to L1 to establish a new |
| 27 |
> tree without the knowledge of everyone who signed the key but the new |
| 28 |
> tree will be able to issue new signatures and everyone will accept them |
| 29 |
> because L1 is trusted. Unacceptable. Process must be clear for |
| 30 |
> _everyone_. No blackbox. |
| 31 |
> |
| 32 |
|
| 33 |
Currently infra can make the website do whatever it wants, so anyone |
| 34 |
chaining to LE already trusts Infra implicitly. Most users use this method: |
| 35 |
they go to the website, look up a fingerprint, import it, verify with it, |
| 36 |
etc. They don't use the trustdb to make these decisions. |
| 37 |
|
| 38 |
|
| 39 |
> |
| 40 |
> |
| 41 |
> > +The fingerprint of this key is published |
| 42 |
> > +on the Gentoo website and users are requested to sign this key to enable |
| 43 |
> > +key validity via Authority Keys. |
| 44 |
> |
| 45 |
> This is problematic. Nobody should ever sign something because it was |
| 46 |
> published somewhere. I know this will be a hard challenge but I believe |
| 47 |
> the L1 key can only be created if infra people will meet in person: |
| 48 |
> |
| 49 |
> - This will guarantee that nobody will take a copy of the L1 key, |
| 50 |
> assuming we trust these people (maybe do this during a Gentoo conference |
| 51 |
> so other people can watch the ceremony). |
| 52 |
> |
| 53 |
|
| 54 |
We could do something like generate the L1 key in a nitrokey if you wanted. |
| 55 |
It would be somewhat problematic to durably tie it to the hardware like |
| 56 |
that, but it seems fairly straightforward and costs 50$. Watching the |
| 57 |
'ceremony' at a conference is not sufficient to prevent key ex-filtration; |
| 58 |
you have to trust the laptop, the code its running on, etc. As mgorny |
| 59 |
notes, trust must be rooted somewhere in this model. |
| 60 |
|
| 61 |
Maybe you could build some kind of weird multi-factor solution where e.g.: |
| 62 |
|
| 63 |
robbat2 brings the laptop. |
| 64 |
mgorny brings a USB stick with some OS on it |
| 65 |
antarus brings the nitrokey |
| 66 |
|
| 67 |
The likelihood that we can generate a key safely is likely high in that |
| 68 |
environment. You still end up trusting all of us to not steal the key |
| 69 |
somehow and obviously there are occasions when we need to use the key (e.g. |
| 70 |
L2 key rotation) and all the same caveats apply to that use. |
| 71 |
|
| 72 |
|
| 73 |
> - We will sign L1 only because it was signed by infra person X which we |
| 74 |
> met in person. E.g. nobody should sign L1 key who hasn't met anyone who |
| 75 |
> already signed that key. Because mgorny and antarus for example never |
| 76 |
> met somone else according to current WoT graph, trust anchor will |
| 77 |
> probably be robbat2 -> k_f -> ... for most people. But signing something |
| 78 |
> because you were asked to do so without *any* trust anchor should be a |
| 79 |
> no go. |
| 80 |
> |
| 81 |
|
| 82 |
I don't particularly disagree with this, but I also don't think signing the |
| 83 |
L1 is a critical portion of the proposal. |
| 84 |
|
| 85 |
|
| 86 |
> |
| 87 |
> My main criticisms, however, is that this system will create a false |
| 88 |
> sense of security (authenticity to be precise): |
| 89 |
> |
| 90 |
|
| 91 |
Like mgorny' I'm going to mostly ignore everything below, because its |
| 92 |
unrelated to the proposal. I will assert there is one snag here: |
| 93 |
|
| 94 |
1) I'm an existing Gentoo user. |
| 95 |
2) I have a web of trust. |
| 96 |
3) I verify the tip of tree with my web[0] |
| 97 |
|
| 98 |
If I then participate in this proposal: |
| 99 |
1) I would go to api.g.o and get the L1 FP |
| 100 |
2) I'd import it into my web and trust it. |
| 101 |
3) Suddenly I potentially trust a bunch more keys because I'm trusting the |
| 102 |
L1 key. |
| 103 |
4) Its plausible for a commit to be marked-bad with my pre-L1 web, but OK |
| 104 |
in my L1 web, and I don't think there is a way to tell the difference. |
| 105 |
|
| 106 |
The second outcome is bad for users who use their web to verify a tree and |
| 107 |
its likely those users should *not* trust the L1 key[1]. |
| 108 |
|
| 109 |
[0] Since many committers are not in the web, I'm already skeptical, but |
| 110 |
lets assume its possible. |
| 111 |
[1] Now we get into more confusing situations where we have subwebs and |
| 112 |
various trust-levels and I'm just not sure how that works out, or how the |
| 113 |
software acts when there is a conflict. In theory I'd want two keyrings |
| 114 |
here right, one is my "real web" that I trust more than the "L1 web" and if |
| 115 |
the real one says its bad, and the L1 says its good, I should trust the |
| 116 |
real one and ignore the L1. But since its challenging to validate all |
| 117 |
commits with just the real web, I potentially need both webs to verify all |
| 118 |
commits and the L1 is a simple way to say "hey all of these keys are Gentoo |
| 119 |
keys." |
| 120 |
|
| 121 |
|
| 122 |
> Let's say Gentoo has a developer named Bob. |
| 123 |
> |
| 124 |
> Bob's local system will get compromised. Attacker will gain access to |
| 125 |
> Bob's SSH key and will also find Bob's Gentoo LDAP password. |
| 126 |
> |
| 127 |
> With the SSH key, the attacker will be able to connect to |
| 128 |
> dev.gentoo.org. The LDAP password will allow the attacker to add or |
| 129 |
> replace Bob's GPG fingerprint. |
| 130 |
> |
| 131 |
> Thanks to the new system, an automatic process will sign that new GPG key. |
| 132 |
> |
| 133 |
> The attacker is now able to manipulate an ebuild for example and push |
| 134 |
> that change. If no one happens to review the commit for some reason and |
| 135 |
> notice the malicious change, attack will be successful, because the |
| 136 |
> commit has a valid signature. |
| 137 |
> |
| 138 |
> That's basically status quo (see #1). |
| 139 |
> |
| 140 |
|
| 141 |
> Once we detect the compromise, we would disable Bob's access and revoke |
| 142 |
> all signatures. But this doesn't matter anymore. |
| 143 |
|
| 144 |
Also keep in mind that currently we only validate last commit. If |
| 145 |
> another developer will add his/her commit on top of the attacker's |
| 146 |
> change, the attacker's key doesn't matter anymore. |
| 147 |
|
| 148 |
|
| 149 |
> My point is, you cannot automate trust. Yes, if someone has to change |
| 150 |
> his/her key it will be a pain for everyone... but that's part of the |
| 151 |
> game. The difference would be that nobody would sign that new key the |
| 152 |
> attacker added to LDAP because it wasn't signed by Bob's previous key |
| 153 |
> everyone trusted. So everyone would ping Bob asking what's going on. If |
| 154 |
> this would be a legitimate key change, Bob would explain that (and |
| 155 |
> probably sign that new key with the old key or he would have to |
| 156 |
> establish a new WoT). If this wasn't a legitimate key change, we would |
| 157 |
> notice... |
| 158 |
> |
| 159 |
> I am basically back at #1. Why do we need GLEP 79? It doesn't improve |
| 160 |
> anything for real aside adding a lot of complexity. Wrong? |
| 161 |
> |
| 162 |
|
| 163 |
The assertion is that most users don't use a web (and don't want to) and |
| 164 |
for those users its a net improvement to trust the L1 key. If you already |
| 165 |
use a web then the value in this proposal is diminished due to the extra |
| 166 |
risk the L1 key poses for your trust db. |
| 167 |
|
| 168 |
-A |
| 169 |
|
| 170 |
|
| 171 |
> |
| 172 |
> |
| 173 |
> -- |
| 174 |
> Regards, |
| 175 |
> Thomas Deutschmann / Gentoo Linux Developer |
| 176 |
> C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5 |
| 177 |
> |
| 178 |
> |
Archives