From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id CKa0MwKT6F7/bAAA0tVLHw (envelope-from ) for ; Tue, 16 Jun 2020 09:38:10 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id cD6VLwKT6F4AUQAA1q6Kng (envelope-from ) for ; Tue, 16 Jun 2020 09:38:10 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 3FC669404CC for ; Tue, 16 Jun 2020 09:38:10 +0000 (UTC) Received: from localhost ([::1]:46078 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jl82i-0004YG-VF for larch@yhetil.org; Tue, 16 Jun 2020 05:38:08 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:46168) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jl80v-0001um-1G for guix-devel@gnu.org; Tue, 16 Jun 2020 05:36:17 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:52826) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jl80u-0000P4-Os; Tue, 16 Jun 2020 05:36:16 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=43810 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1jl80u-0006Pz-07; Tue, 16 Jun 2020 05:36:16 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Christopher Baines Subject: Re: K of N trust in substitutes (related to reproducible builds) References: <87lfkq8ugk.fsf@cbaines.net> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 29 Prairial an 228 de la =?utf-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Tue, 16 Jun 2020 11:36:14 +0200 In-Reply-To: <87lfkq8ugk.fsf@cbaines.net> (Christopher Baines's message of "Sat, 13 Jun 2020 23:35:55 +0100") Message-ID: <87o8pjwdwx.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: guix-devel@gnu.org Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Scanner: scn0 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Spam-Score: -1.01 X-TUID: 3i+uSgMGeF89 Hi! Christopher Baines skribis: > My feeling is that making some initial step forward in this area is > going to be tricky, care needs to be taken around the security and > backwards compatibility aspects. I've now got around to actually > thinking about potential ways to make parts of this happen though, and > even changed some code [2] (although I haven't actually tried to run it > yet). Nice! > As I understand, the format for the ACL is based around [3] and I was > excited to see as part of that specification is something I think might > overlap with what I describe wanting above. Specifically, the k-of-n > bit. I think this could work something like this in an > ACL: > > (acl > (entry > (k-of-n > 2 > 3 > (public-key > (ecc > (curve Ed25519) > (q #5F5F4F321533D3A38F909785E682798933BA9BE257C97E5ABC07DD08F27B8DBF= #) > ) > ) > (public-key > (ecc > (curve Ed25519) > (q #3AF2631C5E78F520CB1DC0D438D8D6F88EEF4B8E11097A62EE2DF390E946AED0= #) > ) > ) > (public-key > (ecc > (curve Ed25519) > (q #1EEE5340C3AAD6E062A1395A88A86FC75982E8BC7DCBAE171858EEAAB14AAB77= #) > ) > ) > ) > (tag > (guix import) > ) > ) > ) > > 3: http://theworld.com/~cme/spki.txt > > Using the above ACL, you'd trust a substitute for a path with a specific > hash if you can find 2 narinfos for that path and hash if they're signed > with keys in that entry. Multiple entries would still be supported, and > you wouldn't need to specify the k-of-n bit if you don't want to. > > I'm not quite sure how expressive this is, or if there are some policies > that would be good to support that either can't be expressed, or can't > be expressed easily. There's probably other approaches, and how to > support trusting substitutes is an important part to consider. I would be tempted to not bake it into /etc/guix/acl. You would still authorize all the servers, but instead of choosing a policy that accepts anything signed by one of them, as is currently the case, you would choose a policy that only accepts something signed by two of them. The policy would be implemented in (guix scripts substitute). I haven=E2= =80=99t put much thought into it but it could be something akin to =E2=80=98lookup-narinfos/diverse=E2=80=99, roughly. Thoughts? Ludo=E2=80=99.