From: Philip McGrath <philip@philipmcgrath.com>
To: guix-devel@gnu.org
Subject: Re: Public key pinning in guix?
Date: Sat, 8 Jan 2022 11:37:30 -0500 [thread overview]
Message-ID: <357034c3-44f2-5ec9-e74a-314412ce2a65@philipmcgrath.com> (raw)
In-Reply-To: <8dc3fb16db64df6fd71b7ab059c517aa3e779c2b.camel@telenet.be>
Hi,
On 1/7/22 16:24, Maxime Devos wrote:
> The purpose is to resist a compromise of the CA system. More
> concretely, if you now do "guix refresh -u minetest-moreores"
> then a MITM that compromised a CA cannot secretly replace
> minetest-moreores with a mod that mines bitcoin for the MITM,
> or something.
>
> Possibly also useful for "guix download", "guix import", "guix lint",
> "guix build --with-latest=...".
>
> A downside is that whenever content.minetest.net changes public keys,
> the pinned public key in Guix needs to be updated. How often does this
> happen? I wouldn't now. This could be partially automated with
> a "./pre-inst-env guix update-the-pinned-keys" script, and there could
> be an "GUIX_IGNORE_KEY_PINNING=yes" environment variable as escape
> hatch.
>
> WDYT, worth the trouble or not?
>
This sounds like HTTP Public Key Pinning (HPKP).[1] AIUI, HTTP Public
Key Pinning was deprecated, and support has been removed from major
browser engines by January 2020.[2][3][4] While it seemed like a good
idea for reasons like the ones you list, apparently it not only proved
very difficult for site administrators to configure, with severe
consequences for mistakes, it also enabled potential ransomware attacks
and other bad stuff.[6]
I never followed this feature closely and don't have a strongly-held
opinion on the merits, but, if the "web platform" has deprecated this
feature---more concretely, if it is Considered Harmful by sysadmins and
servers are configured with the expectation that no one does this any
more---I don't think it would improve reliability for Guix to
unilaterally revive HPKP.
-Philip
[1]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning
[2]: https://scotthelme.co.uk/hpkp-is-no-more/
[3]:
http://web.archive.org/web/20200618234723/https://www.fxsitecompat.dev/en-CA/docs/2019/http-public-key-pinning-is-no-longer-supported/
[4]: https://chromestatus.com/feature/5903385005916160
[5]:
https://groups.google.com/a/chromium.org/g/blink-dev/c/he9tr7p3rZ8/m/eNMwKPmUBAAJ
[6]: https://scotthelme.co.uk/using-security-features-to-do-bad-things/
next prev parent reply other threads:[~2022-01-08 16:38 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-07 21:24 Public key pinning in guix? Maxime Devos
2022-01-08 16:37 ` Philip McGrath [this message]
2022-01-09 11:54 ` Maxime Devos
2022-01-09 13:57 ` Philip McGrath
2022-01-09 15:29 ` Maxime Devos
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=357034c3-44f2-5ec9-e74a-314412ce2a65@philipmcgrath.com \
--to=philip@philipmcgrath.com \
--cc=guix-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).