From: Tobias Geerinckx-Rice via Bug reports for GNU Guix <bug-guix@gnu.org>
To: Maxime Devos <maximedevos@telenet.be>
Cc: ludo@gnu.org, 57091@debbugs.gnu.org
Subject: bug#57091: Git authentication reports subkey fingerprints
Date: Thu, 11 Aug 2022 18:31:41 +0200 [thread overview]
Message-ID: <c7478dba8725cc173d443cb5172f3279@tobias.gr> (raw)
In-Reply-To: <fc12e652-af4b-c107-c8cb-06730f75f084@telenet.be>
Hi Maxime,
Quick reply mainly to say thanks for replying :-)
On 2022-08-11 17:07, Maxime Devos wrote:
> On 11-08-2022 13:17, Tobias Geerinckx-Rice wrote:
>
>> Apologies if I'm wildly off the mark here. But then I'd like to
>> hear some plausible threat models. Maxime?
>
> Here's a problem with allowing subkeys, if that's what you mean:
(Well, you snipped my previous paragraph where I mention what you seem
to describe below, so yes.)
> * Expiration times and GPG-level revocation must be ignored (for
> time-travel, and pulling from an old Guix), similarly to why it must
> be ignored for when no subkeys are used
> * Someone used to GPG-style subkeys generates a new subkey to
> replace old expired subkey or revokes old subkey, without keeping in
> mind that Guix doesn't take that in account.
> * An attacker uses a compromised-but-revoked-or-expired subkey to
> compromise the channel.
Why does none of this apply to primary keys?
> Expiration times might be solvable by taking the commit time of the
> previous commit as 'current time' (not the commit that was signed,
> otherwise an attacker could just lie). I don't know a solution for
> GPG-level revocation of old subkeys but I haven't looked either.
Git commit dates aren't reliable. Requiring that they be accurate going
forward would be imposing yet another 'artificial'/idiosyncratic
limitation. I think we should be very hesitant to build a verification
system on assumptions stacked just so.
> Another problem:
>
> * When replacing the key in the 'keyring' branch with an 'updated'
> key that contains the new subkey, we have to be careful to never
> remove old subkeys, to avoid breaking time travel or pulling from old
> versions.
Sure. We always need to be careful when updating the keyring branch.
Kind regards,
T G-R
Sent from a Web browser. Excuse or enjoy my brevity.
next prev parent reply other threads:[~2022-08-11 16:32 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-09 21:07 bug#57091: Git authentication reports subkey fingerprints Ludovic Courtès
2022-08-09 21:20 ` Maxime Devos
2022-08-11 10:24 ` Ludovic Courtès
2022-08-11 11:17 ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
2022-08-11 11:33 ` Tobias Geerinckx-Rice via Bug reports for GNU Guix
2022-08-11 15:07 ` Maxime Devos
2022-08-11 16:31 ` Tobias Geerinckx-Rice via Bug reports for GNU Guix [this message]
2022-08-11 18:10 ` Maxime Devos
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c7478dba8725cc173d443cb5172f3279@tobias.gr \
--to=bug-guix@gnu.org \
--cc=57091@debbugs.gnu.org \
--cc=ludo@gnu.org \
--cc=maximedevos@telenet.be \
--cc=me@tobias.gr \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).