From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-devel-bounces+larch=yhetil.org@gnu.org>
Received: from mp11.migadu.com ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms0.migadu.com with LMTPS
	id YKSSNuq92WEJHgEAgWs5BA
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Sat, 08 Jan 2022 17:38:02 +0100
Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp11.migadu.com with LMTPS
	id 2Gj+M+q92WErHQAA9RJhRA
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Sat, 08 Jan 2022 17:38:02 +0100
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 718BBBC82
	for <larch@yhetil.org>; Sat,  8 Jan 2022 17:38:02 +0100 (CET)
Received: from localhost ([::1]:41984 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	id 1n6EjB-0005ax-Jo
	for larch@yhetil.org; Sat, 08 Jan 2022 11:38:01 -0500
Received: from eggs.gnu.org ([209.51.188.92]:34514)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <philip@philipmcgrath.com>)
 id 1n6Eim-0005aj-0i
 for guix-devel@gnu.org; Sat, 08 Jan 2022 11:37:36 -0500
Received: from [2607:f8b0:4864:20::92c] (port=46051
 helo=mail-ua1-x92c.google.com)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <philip@philipmcgrath.com>)
 id 1n6Eij-0006aL-Pl
 for guix-devel@gnu.org; Sat, 08 Jan 2022 11:37:35 -0500
Received: by mail-ua1-x92c.google.com with SMTP id x33so14531396uad.12
 for <guix-devel@gnu.org>; Sat, 08 Jan 2022 08:37:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=philipmcgrath.com; s=google;
 h=message-id:date:mime-version:user-agent:subject:content-language:to
 :references:from:in-reply-to:content-transfer-encoding;
 bh=ZqlhdfLlWhOht8Krru7mkB0BmXqjfahuz9CbWbvVSS8=;
 b=cqRZO7hXOQEMuHp9r7m1YwFo4uNXJkAN8uXqE2nA8luDpOc1tcjxTig+Mpj9Ra2Ri4
 QKltryGf/Nz2DpgOwzy6L7hjjioY2g/kaWa9OaME/aFURO2wWBAZNocfTc9xDxbJX1pa
 dRLrWHxwKBB6vaQSOT813WCtojChUNjvYYsn5mPaCD0HRDW3jiNhiWEmkYQZ5yTcyp3v
 tqI/4AGTOUUOyEo4bSMrhrrTmtHwubA9FA98673olXNZ0tJHUjtu0KpReXIu90+kFJLB
 Fv659Wqe6RO0GTjN3y0QFt10bY8Bi3OJJ2wti+9QXiZU1DN9hJfDWKpn09FDALBfQpIU
 ZpMw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:message-id:date:mime-version:user-agent:subject
 :content-language:to:references:from:in-reply-to
 :content-transfer-encoding;
 bh=ZqlhdfLlWhOht8Krru7mkB0BmXqjfahuz9CbWbvVSS8=;
 b=sI5SS1APEt6Fds46YhfbiwCuxcE30DFDUdz6zFhfScl1T5nB9Z+Ox+2GPYzoKO2/Yq
 6mzyakvISuijUd5MJrMGABj8VMvEpPjtLpWnGeKIt5DVzUhLNOTMenf+rMkVDicjOZ66
 yfu5WKarRyhNL7yvWZJAaDYff7yagepU3DaDElOI0uc6pQO2PxBNjerrcYNy8zhYZlGi
 xJWEAqlsQLn5Hc//hoUvWeTI7iUa/9xnWGZeVdfbTzN4rkeK2HwLIUkRU5ye4ICaB6aN
 2SXSDhioACDuYVmQLVycvdi+17MOWECqPx3KW/SC8yf4SbISw/CDZ0nr3hmnWu6cOem3
 33lg==
X-Gm-Message-State: AOAM533IPvOPiEshdnQ8uGjABdB11kgwcoaSyg4gkzW7FJsutTIw1SPq
 4R9SOwIxy5elhkxwifj9Co12hvkKbIwoO0xZ
X-Google-Smtp-Source: ABdhPJyLjhkXSgD3lvLDBBAdTV0Ri/4/W+wz/lpjgm1qD1Q7reD8Yeeo+IVWZjN9soWnVtTWiLUnGA==
X-Received: by 2002:a05:6102:242a:: with SMTP id
 l10mr23631122vsi.26.1641659851743; 
 Sat, 08 Jan 2022 08:37:31 -0800 (PST)
Received: from [192.168.45.37] (c-73-125-89-242.hsd1.fl.comcast.net.
 [73.125.89.242])
 by smtp.gmail.com with ESMTPSA id u7sm1087455vkf.12.2022.01.08.08.37.31
 for <guix-devel@gnu.org>
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
 Sat, 08 Jan 2022 08:37:31 -0800 (PST)
Message-ID: <357034c3-44f2-5ec9-e74a-314412ce2a65@philipmcgrath.com>
Date: Sat, 8 Jan 2022 11:37:30 -0500
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
 Thunderbird/91.3.1
Subject: Re: Public key pinning in guix?
Content-Language: en-US
To: guix-devel@gnu.org
References: <8dc3fb16db64df6fd71b7ab059c517aa3e779c2b.camel@telenet.be>
From: Philip McGrath <philip@philipmcgrath.com>
In-Reply-To: <8dc3fb16db64df6fd71b7ab059c517aa3e779c2b.camel@telenet.be>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Host-Lookup-Failed: Reverse DNS lookup failed for 2607:f8b0:4864:20::92c
 (failed)
Received-SPF: neutral client-ip=2607:f8b0:4864:20::92c;
 envelope-from=philip@philipmcgrath.com; helo=mail-ua1-x92c.google.com
X-Spam_score_int: -46
X-Spam_score: -4.7
X-Spam_bar: ----
X-Spam_report: (-4.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-4.199,
 RCVD_IN_DNSWL_NONE=-0.0001, RDNS_NONE=0.793, SPF_HELO_NONE=0.001,
 SPF_NEUTRAL=0.779 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: guix-devel@gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Development of GNU Guix and the GNU System distribution."
 <guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+larch=yhetil.org@gnu.org>
X-Migadu-Flow: FLOW_IN
X-Migadu-Country: US
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1641659882;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post:dkim-signature;
	bh=ZqlhdfLlWhOht8Krru7mkB0BmXqjfahuz9CbWbvVSS8=;
	b=FsOb/fFdiaEzFP56xOMt6uabva/+w9eoC1a5WaeCNkA6ymyjEybBm5ilx3JOf+Uddq87Bi
	A5jclwLzd4J4nwxE0ImvGC8CQKbd2ctscK3xfEd3SWfPB8vNiZnaEjv9FR4mHzK3kt3dYL
	yFTE15H3iIj0UZIvOyyJQmLYdSC8gOUAjoJCXXpnwNe89MeJcS9wzp6n3nlC+3cRMZVTZ+
	xXWUSqmjyLRYdytf9yPfhpftddilOEuM4U6mfHTcb1BGKVXi+XYyyLZchLjd4G4sVHDLdd
	KNSDUOhOt6DkSZgC1YzvGck4unmTI8gCBrVcabNOCNEZjt3HeCb1rKIfcjC3RQ==
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1641659882; a=rsa-sha256; cv=none;
	b=Z44T1WvmtHxNoYxbY66U49Mg/5z2qzFim3ddh+8Q3+zeAxGI3XJ8SviirWpDC0qOJaMpCn
	3ajHThcJPF5qfLt5WSj88DHlcOfjTEqvQPWF9fUj+Vg1XMxW0bOLhxdCfQjpJKtA+9HM8h
	ah1eX9va8rSYn6ZQr4h/IxGa7Vno+sWHx4rx/GNdxv4qZUljUx8tWOvbrhmmAvn3NzDLr/
	IWHmsSms8wKUVR5kPWxfLcwVpJ7ylAVHejWV8oYcciEcPXB/WcUFrQufhA+mlYvh1JY6pB
	ijhy7Jri20XNu4BhZGUwNAx4gRJ17Xo140KANdMwBaeh2fW8xd7T+ORE2OS0hw==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=pass header.d=philipmcgrath.com header.s=google header.b=cqRZO7hX;
	dmarc=none;
	spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"
X-Migadu-Spam-Score: -2.80
Authentication-Results: aspmx1.migadu.com;
	dkim=pass header.d=philipmcgrath.com header.s=google header.b=cqRZO7hX;
	dmarc=none;
	spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"
X-Migadu-Queue-Id: 718BBBC82
X-Spam-Score: -2.80
X-Migadu-Scanner: scn1.migadu.com
X-TUID: 5yBivb6kzyni

Hi,

On 1/7/22 16:24, Maxime Devos wrote:
> The purpose is to resist a compromise of the CA system. More
> concretely, if you now do "guix refresh -u minetest-moreores"
> then a MITM that compromised a CA cannot secretly replace
> minetest-moreores with a mod that mines bitcoin for the MITM,
> or something.
> 
> Possibly also useful for "guix download", "guix import", "guix lint",
> "guix build --with-latest=...".
> 
> A downside is that whenever content.minetest.net changes public keys,
> the pinned public key in Guix needs to be updated. How often does this
> happen? I wouldn't now. This could be partially automated with
> a "./pre-inst-env guix update-the-pinned-keys" script, and there could
> be an "GUIX_IGNORE_KEY_PINNING=yes" environment variable as escape
> hatch.
> 
> WDYT, worth the trouble or not?
> 

This sounds like HTTP Public Key Pinning (HPKP).[1] AIUI, HTTP Public 
Key Pinning was deprecated, and support has been removed from major 
browser engines by January 2020.[2][3][4] While it seemed like a good 
idea for reasons like the ones you list, apparently it not only proved 
very difficult for site administrators to configure, with severe 
consequences for mistakes, it also enabled potential ransomware attacks 
and other bad stuff.[6]

I never followed this feature closely and don't have a strongly-held 
opinion on the merits, but, if the "web platform" has deprecated this 
feature---more concretely, if it is Considered Harmful by sysadmins and 
servers are configured with the expectation that no one does this any 
more---I don't think it would improve reliability for Guix to 
unilaterally revive HPKP.

-Philip

[1]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning
[2]: https://scotthelme.co.uk/hpkp-is-no-more/
[3]: 
http://web.archive.org/web/20200618234723/https://www.fxsitecompat.dev/en-CA/docs/2019/http-public-key-pinning-is-no-longer-supported/
[4]: https://chromestatus.com/feature/5903385005916160
[5]: 
https://groups.google.com/a/chromium.org/g/blink-dev/c/he9tr7p3rZ8/m/eNMwKPmUBAAJ
[6]: https://scotthelme.co.uk/using-security-features-to-do-bad-things/