From: Maxime Devos <maximedevos@telenet.be>
To: Tobias Geerinckx-Rice <me@tobias.gr>
Cc: ludo@gnu.org, 57091@debbugs.gnu.org
Subject: bug#57091: Git authentication reports subkey fingerprints
Date: Thu, 11 Aug 2022 20:10:48 +0200 [thread overview]
Message-ID: <95099292-6aeb-1ef2-ce96-0f216ac9b93f@telenet.be> (raw)
In-Reply-To: <c7478dba8725cc173d443cb5172f3279@tobias.gr>
[-- Attachment #1.1.1.1: Type: text/plain, Size: 2189 bytes --]
On 11-08-2022 18:31, Tobias Geerinckx-Rice wrote:
>> * Expiration times and GPG-level revocation must be ignored (for
>> time-travel, and pulling from an old Guix), similarly to why it must
>> be ignored for when no subkeys are used
>> * Someone used to GPG-style subkeys generates a new subkey to
>> replace old expired subkey or revokes old subkey, without keeping in
>> mind that Guix doesn't take that in account.
>> * An attacker uses a compromised-but-revoked-or-expired subkey to
>> compromise the channel.
>
> Why does none of this apply to primary keys?
For primary keys as they are currently used in Guix, to revoke a key
(from Guix' point of view), you remove it from .guix-authorizations, done.
For revoking subkeys, you trust GPG or whatever to take care of things,
but Guix-modified-to-allow-subkeys-too doesn't have a clue that the
subkey should be considered revoked, se bullet list above.
That could be solved by also adding a list of revoked subkeys to
.guix-authorization, but that seems opposite to the proposed change.
>> Expiration times might be solvable by taking the commit time of the
>> previous commit as 'current time' (not the commit that was signed,
>> otherwise an attacker could just lie). I don't know a solution for
>> GPG-level revocation of old subkeys but I haven't looked either.
>
> Git commit dates aren't reliable. Requiring that they be accurate
> going forward would be imposing yet another 'artificial'/idiosyncratic
> limitation. I think we should be very hesitant to build a
> verification system on assumptions stacked just so.
Yes, forbidding setting the datetime to something way off (e.g.
1970-01-01) for privacy or such is quite a limitation.
They do not have to be accurate however, as long as the discrepancies in
commit dates / actual time (*) are small compared to the expiration times.
(*) of non-attackers -- assuming frequent commits, an attacker cannot
trick the expiration mechanism into large time difference. That might
not be good enough for branches like 'wip-foo' or channels with
infrequent commits though.
Greetings,
Maxime.
[-- Attachment #1.1.1.2: Type: text/html, Size: 3278 bytes --]
[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 929 bytes --]
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 236 bytes --]
prev parent reply other threads:[~2022-08-11 18:11 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-09 21:07 bug#57091: Git authentication reports subkey fingerprints Ludovic Courtès
2022-08-09 21:20 ` Maxime Devos
2022-08-11 10:24 ` Ludovic Courtès
2022-08-11 11:17 ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
2022-08-11 11:33 ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
2022-08-11 15:07 ` Maxime Devos
2022-08-11 16:31 ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
2022-08-11 18:10 ` Maxime Devos [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=95099292-6aeb-1ef2-ce96-0f216ac9b93f@telenet.be \
--to=maximedevos@telenet.be \
--cc=57091@debbugs.gnu.org \
--cc=ludo@gnu.org \
--cc=me@tobias.gr \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).