1 |
I will probably end up repeating a lot of what mgorny has said later, but |
2 |
I'll try to be concise ;) |
3 |
|
4 |
I want to start with a premise, which is that most users don't have a trust |
5 |
web, and so saying things like "we should build a web this way" or "users |
6 |
should use a web" is self-defeating, our target userbase doesn't have one. |
7 |
|
8 |
On Sun, Mar 10, 2019 at 12:53 PM Thomas Deutschmann <whissi@g.o> |
9 |
wrote: |
10 |
|
11 |
> Hi, |
12 |
> |
13 |
> I know I am late but... |
14 |
> |
15 |
> 1) I still don't understand the motivation for this. What will |
16 |
> change/improve/be possible in future vs. status quo? |
17 |
> |
18 |
> 2) This sounds like a blackbox only a few people know/understand: |
19 |
> |
20 |
|
21 |
> > +The single L1 Authority Key is used only to (manually) certify the L2 |
22 |
> > +Keys, and is kept securely offline following the Infrastructure policies |
23 |
> > +on protecting primary keys. |
24 |
> |
25 |
> However, the L1 key is critical, especially if all devs will sign that |
26 |
> key. E.g. this will allow people with access to L1 to establish a new |
27 |
> tree without the knowledge of everyone who signed the key but the new |
28 |
> tree will be able to issue new signatures and everyone will accept them |
29 |
> because L1 is trusted. Unacceptable. Process must be clear for |
30 |
> _everyone_. No blackbox. |
31 |
> |
32 |
|
33 |
Currently infra can make the website do whatever it wants, so anyone |
34 |
chaining to LE already trusts Infra implicitly. Most users use this method: |
35 |
they go to the website, look up a fingerprint, import it, verify with it, |
36 |
etc. They don't use the trustdb to make these decisions. |
37 |
|
38 |
|
39 |
> |
40 |
> |
41 |
> > +The fingerprint of this key is published |
42 |
> > +on the Gentoo website and users are requested to sign this key to enable |
43 |
> > +key validity via Authority Keys. |
44 |
> |
45 |
> This is problematic. Nobody should ever sign something because it was |
46 |
> published somewhere. I know this will be a hard challenge but I believe |
47 |
> the L1 key can only be created if infra people will meet in person: |
48 |
> |
49 |
> - This will guarantee that nobody will take a copy of the L1 key, |
50 |
> assuming we trust these people (maybe do this during a Gentoo conference |
51 |
> so other people can watch the ceremony). |
52 |
> |
53 |
|
54 |
We could do something like generate the L1 key in a nitrokey if you wanted. |
55 |
It would be somewhat problematic to durably tie it to the hardware like |
56 |
that, but it seems fairly straightforward and costs 50$. Watching the |
57 |
'ceremony' at a conference is not sufficient to prevent key ex-filtration; |
58 |
you have to trust the laptop, the code its running on, etc. As mgorny |
59 |
notes, trust must be rooted somewhere in this model. |
60 |
|
61 |
Maybe you could build some kind of weird multi-factor solution where e.g.: |
62 |
|
63 |
robbat2 brings the laptop. |
64 |
mgorny brings a USB stick with some OS on it |
65 |
antarus brings the nitrokey |
66 |
|
67 |
The likelihood that we can generate a key safely is likely high in that |
68 |
environment. You still end up trusting all of us to not steal the key |
69 |
somehow and obviously there are occasions when we need to use the key (e.g. |
70 |
L2 key rotation) and all the same caveats apply to that use. |
71 |
|
72 |
|
73 |
> - We will sign L1 only because it was signed by infra person X which we |
74 |
> met in person. E.g. nobody should sign L1 key who hasn't met anyone who |
75 |
> already signed that key. Because mgorny and antarus for example never |
76 |
> met somone else according to current WoT graph, trust anchor will |
77 |
> probably be robbat2 -> k_f -> ... for most people. But signing something |
78 |
> because you were asked to do so without *any* trust anchor should be a |
79 |
> no go. |
80 |
> |
81 |
|
82 |
I don't particularly disagree with this, but I also don't think signing the |
83 |
L1 is a critical portion of the proposal. |
84 |
|
85 |
|
86 |
> |
87 |
> My main criticisms, however, is that this system will create a false |
88 |
> sense of security (authenticity to be precise): |
89 |
> |
90 |
|
91 |
Like mgorny' I'm going to mostly ignore everything below, because its |
92 |
unrelated to the proposal. I will assert there is one snag here: |
93 |
|
94 |
1) I'm an existing Gentoo user. |
95 |
2) I have a web of trust. |
96 |
3) I verify the tip of tree with my web[0] |
97 |
|
98 |
If I then participate in this proposal: |
99 |
1) I would go to api.g.o and get the L1 FP |
100 |
2) I'd import it into my web and trust it. |
101 |
3) Suddenly I potentially trust a bunch more keys because I'm trusting the |
102 |
L1 key. |
103 |
4) Its plausible for a commit to be marked-bad with my pre-L1 web, but OK |
104 |
in my L1 web, and I don't think there is a way to tell the difference. |
105 |
|
106 |
The second outcome is bad for users who use their web to verify a tree and |
107 |
its likely those users should *not* trust the L1 key[1]. |
108 |
|
109 |
[0] Since many committers are not in the web, I'm already skeptical, but |
110 |
lets assume its possible. |
111 |
[1] Now we get into more confusing situations where we have subwebs and |
112 |
various trust-levels and I'm just not sure how that works out, or how the |
113 |
software acts when there is a conflict. In theory I'd want two keyrings |
114 |
here right, one is my "real web" that I trust more than the "L1 web" and if |
115 |
the real one says its bad, and the L1 says its good, I should trust the |
116 |
real one and ignore the L1. But since its challenging to validate all |
117 |
commits with just the real web, I potentially need both webs to verify all |
118 |
commits and the L1 is a simple way to say "hey all of these keys are Gentoo |
119 |
keys." |
120 |
|
121 |
|
122 |
> Let's say Gentoo has a developer named Bob. |
123 |
> |
124 |
> Bob's local system will get compromised. Attacker will gain access to |
125 |
> Bob's SSH key and will also find Bob's Gentoo LDAP password. |
126 |
> |
127 |
> With the SSH key, the attacker will be able to connect to |
128 |
> dev.gentoo.org. The LDAP password will allow the attacker to add or |
129 |
> replace Bob's GPG fingerprint. |
130 |
> |
131 |
> Thanks to the new system, an automatic process will sign that new GPG key. |
132 |
> |
133 |
> The attacker is now able to manipulate an ebuild for example and push |
134 |
> that change. If no one happens to review the commit for some reason and |
135 |
> notice the malicious change, attack will be successful, because the |
136 |
> commit has a valid signature. |
137 |
> |
138 |
> That's basically status quo (see #1). |
139 |
> |
140 |
|
141 |
> Once we detect the compromise, we would disable Bob's access and revoke |
142 |
> all signatures. But this doesn't matter anymore. |
143 |
|
144 |
Also keep in mind that currently we only validate last commit. If |
145 |
> another developer will add his/her commit on top of the attacker's |
146 |
> change, the attacker's key doesn't matter anymore. |
147 |
|
148 |
|
149 |
> My point is, you cannot automate trust. Yes, if someone has to change |
150 |
> his/her key it will be a pain for everyone... but that's part of the |
151 |
> game. The difference would be that nobody would sign that new key the |
152 |
> attacker added to LDAP because it wasn't signed by Bob's previous key |
153 |
> everyone trusted. So everyone would ping Bob asking what's going on. If |
154 |
> this would be a legitimate key change, Bob would explain that (and |
155 |
> probably sign that new key with the old key or he would have to |
156 |
> establish a new WoT). If this wasn't a legitimate key change, we would |
157 |
> notice... |
158 |
> |
159 |
> I am basically back at #1. Why do we need GLEP 79? It doesn't improve |
160 |
> anything for real aside adding a lot of complexity. Wrong? |
161 |
> |
162 |
|
163 |
The assertion is that most users don't use a web (and don't want to) and |
164 |
for those users its a net improvement to trust the L1 key. If you already |
165 |
use a web then the value in this proposal is diminished due to the extra |
166 |
risk the L1 key poses for your trust db. |
167 |
|
168 |
-A |
169 |
|
170 |
|
171 |
> |
172 |
> |
173 |
> -- |
174 |
> Regards, |
175 |
> Thomas Deutschmann / Gentoo Linux Developer |
176 |
> C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5 |
177 |
> |
178 |
> |