From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id UCecFBIv9WJwbAAAbAwnHQ (envelope-from ) for ; Thu, 11 Aug 2022 18:32:18 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id 0BGwExIv9WID8QAAG6o9tA (envelope-from ) for ; Thu, 11 Aug 2022 18:32:18 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id E7D3F11556 for ; Thu, 11 Aug 2022 18:32:17 +0200 (CEST) Received: from localhost ([::1]:53732 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oMB6X-0004jD-50 for larch@yhetil.org; Thu, 11 Aug 2022 12:32:17 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:34320) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oMB6I-0004i0-82 for bug-guix@gnu.org; Thu, 11 Aug 2022 12:32:09 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:36932) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1oMB6H-0002aY-WB for bug-guix@gnu.org; Thu, 11 Aug 2022 12:32:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1oMB6H-00039I-M3 for bug-guix@gnu.org; Thu, 11 Aug 2022 12:32:01 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#57091: Git authentication reports subkey fingerprints Resent-From: Tobias Geerinckx-Rice Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Thu, 11 Aug 2022 16:32:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 57091 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Maxime Devos Cc: ludo@gnu.org, 57091@debbugs.gnu.org X-Debbugs-Original-Cc: Ludovic =?UTF-8?Q?Court=C3=A8s?= , bug-guix@gnu.org, 57091@debbugs.gnu.org Received: via spool by submit@debbugs.gnu.org id=B.166023551512091 (code B ref -1); Thu, 11 Aug 2022 16:32:01 +0000 Received: (at submit) by debbugs.gnu.org; 11 Aug 2022 16:31:55 +0000 Received: from localhost ([127.0.0.1]:54914 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oMB6A-00038x-Tb for submit@debbugs.gnu.org; Thu, 11 Aug 2022 12:31:55 -0400 Received: from lists.gnu.org ([209.51.188.17]:41018) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oMB67-00038g-Q1 for submit@debbugs.gnu.org; Thu, 11 Aug 2022 12:31:52 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:34308) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oMB67-0004h6-G2 for bug-guix@gnu.org; Thu, 11 Aug 2022 12:31:51 -0400 Received: from tobias.gr ([2a02:c205:2020:6054::1]:56690) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oMB65-0002Zl-G0; Thu, 11 Aug 2022 12:31:51 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=2018; bh=aPcEf7TC5TPtw MrTg43nm4vDEc/Y8h7R5JI7ePMFOR0=; h=references:in-reply-to:subject:cc: to:from:date; d=tobias.gr; b=eZEjJWLEbdpRQullhU2L/H7UDh2cZtgMcbNvRHc6H PIzUUhuBDHkCtpuTyObFmrfkP4J5elZqy3L8Ajo8kJ1Vm2N8CDdVovGGYPaB7yd57PniM3 R9no78LR2tdWre+YN0zomNbYgWMn2wtRgEncqKIhojg9BxHY2GdmkSAeRPqSBCuLHK7ue2 SgrS0g4GVuyGuNH7Fk9bfD+dW97HVPlAfDQGHGWGt7u2sQ8YLZiQqhnkqU64L91iolXo3l n4w9pMk06lHKC0r9v9eaVAHGYBUEYva4F1Jq8+1fB44oVXQPoHA05csweDtk0VXS7hJq/5 w23XfzgY83eMZLTuUeVpA== Received: by submission.tobias.gr (OpenSMTPD) with ESMTP id 5993a4bb; Thu, 11 Aug 2022 16:31:42 +0000 (UTC) MIME-Version: 1.0 Date: Thu, 11 Aug 2022 18:31:41 +0200 In-Reply-To: References: <87iln12kjc.fsf@inria.fr> <78149f79-5620-fae9-1ba3-4ed25c2154c5@telenet.be> <878rnvxelk.fsf@gnu.org> <5330DDA4-F1AD-4F99-B6A5-5CDA2D975983@tobias.gr> Message-ID: Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Received-SPF: pass client-ip=2a02:c205:2020:6054::1; envelope-from=me@tobias.gr; helo=tobias.gr X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" Reply-to: Tobias Geerinckx-Rice From: Tobias Geerinckx-Rice via Bug reports for GNU Guix X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1660235538; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=aPcEf7TC5TPtwMrTg43nm4vDEc/Y8h7R5JI7ePMFOR0=; b=dBRuhZ2aXzDRrFt5PJkhSyj6YizBy+l4KZKY4e+ZV4c/Jll7SSocxm2aZRciIG7F0sTqFQ fUoOQ2jLEmF6UCOa4VdCViwNi4Bbv8RJstxQn90AvM6T1gNDuoYTSOBW6xCatYic7CsXfF VDcMU3TZPUMy3pHgzA482jC0sBVLSLn5OP/cnnXgElQgTwfW4y+f0e384wLhiyN+BOkUxP Rk3sNI4DEkktUEjErMphqpRaCUXFylYcSX3kJuumeG8ty/yBPnvOUvIFC2vD+BV9PHWg9y lyEMaMzzKa34qq320qmi/Hp4cx+qbzjv6T120bbUXHBca0kY5O5K3kz2LoP8VA== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1660235538; a=rsa-sha256; cv=none; b=LIuJz3dlHwZD3J2slvQBVei+NPcq6T+6FCnUOhTt+buYYlkoDNLcnidzFTDIWeR0tl5GOm 3SntBglQu3BmI16LFgKcvKmuuAbrj7QoBbu+T8K10OqYbW7lrA7haCf/Tptjqs6BY6b56Z pfrw7H+FCiaa6PgiWRGZgS9+8t9akwqM6M/j2eq2pZ9IXt9rgE4YbLfY+47lQ7b+FITxR8 pxZn9fCIQXX6CZyBJPe50Ehpz+JIdqCipAgZbn6dOJu96ZlqZSgWzr46vYGmO7OoVNKE3Z HUu04eS46pyoWGOJ7lfVsQIXeVWynHP8uUMhQoR/ohYO9NcoDvZRDLiw6PuFFA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=tobias.gr header.s=2018 header.b=eZEjJWLE; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -4.08 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=tobias.gr header.s=2018 header.b=eZEjJWLE; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: E7D3F11556 X-Spam-Score: -4.08 X-Migadu-Scanner: scn0.migadu.com X-TUID: xsejI5TR2J26 Hi Maxime, Quick reply mainly to say thanks for replying :-) On 2022-08-11 17:07, Maxime Devos wrote: > On 11-08-2022 13:17, Tobias Geerinckx-Rice wrote: > >> Apologies if I'm wildly off the mark here. But then I'd like to >> hear some plausible threat models. Maxime? > > Here's a problem with allowing subkeys, if that's what you mean: (Well, you snipped my previous paragraph where I mention what you seem to describe below, so yes.) > * Expiration times and GPG-level revocation must be ignored (for > time-travel, and pulling from an old Guix), similarly to why it must > be ignored for when no subkeys are used > * Someone used to GPG-style subkeys generates a new subkey to > replace old expired subkey or revokes old subkey, without keeping in > mind that Guix doesn't take that in account. > * An attacker uses a compromised-but-revoked-or-expired subkey to > compromise the channel. Why does none of this apply to primary keys? > Expiration times might be solvable by taking the commit time of the > previous commit as 'current time' (not the commit that was signed, > otherwise an attacker could just lie). I don't know a solution for > GPG-level revocation of old subkeys but I haven't looked either. Git commit dates aren't reliable. Requiring that they be accurate going forward would be imposing yet another 'artificial'/idiosyncratic limitation. I think we should be very hesitant to build a verification system on assumptions stacked just so. > Another problem: > > * When replacing the key in the 'keyring' branch with an 'updated' > key that contains the new subkey, we have to be careful to never > remove old subkeys, to avoid breaking time travel or pulling from old > versions. Sure. We always need to be careful when updating the keyring branch. Kind regards, T G-R Sent from a Web browser. Excuse or enjoy my brevity.