From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1FhRFX-0002R9-GW for garchives@archives.gentoo.org; Sat, 20 May 2006 13:12:07 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.6/8.13.6) with SMTP id k4KDA3wX002563; Sat, 20 May 2006 13:10:03 GMT Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by robin.gentoo.org (8.13.6/8.13.6) with ESMTP id k4KD4Afb014408 for ; Sat, 20 May 2006 13:04:10 GMT Received: from localhost (localhost [127.0.0.1]) by smtp.gentoo.org (Postfix) with ESMTP id D9B6964464 for ; Sat, 20 May 2006 13:04:09 +0000 (UTC) Received: from smtp.gentoo.org ([127.0.0.1]) by localhost (smtp.gentoo.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 12180-08 for ; Sat, 20 May 2006 13:04:08 +0000 (UTC) Received: from [10.0.0.13] (dslb-084-063-032-000.pools.arcor-ip.net [84.63.32.0]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTP id 963C56442D for ; Sat, 20 May 2006 13:04:05 +0000 (UTC) Subject: Re: [gentoo-dev] Signing everything, for fun and for profit From: Patrick Lauer To: gentoo-dev@lists.gentoo.org In-Reply-To: <1148090633.7249.1.camel@localhost> References: <1147988717.32416.51.camel@localhost> <20060519042638.GB18243@curie-int.vc.shawcable.net> <1148090633.7249.1.camel@localhost> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-LBb0jj4ev4aKpIZOppIS" Organization: Gentoo Date: Sat, 20 May 2006 15:03:59 +0200 Message-Id: <1148130239.6290.26.camel@localhost> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@gentoo.org Reply-to: gentoo-dev@lists.gentoo.org Mime-Version: 1.0 X-Mailer: Evolution 2.6.1 X-Virus-Scanned: amavisd-new at gentoo.org X-Spam-Status: No, score=0.436 required=5.5 tests=[AWL=-0.957, BAYES_00=-2.599, RCVD_IN_NJABL_DUL=1.946, RCVD_IN_SORBS_DUL=2.046] X-Spam-Score: 0.436 X-Spam-Level: X-Archives-Salt: 2f304993-e842-4ee3-8faf-2b7ac90392ae X-Archives-Hash: 2417969f29f8bdefdb1d9841d6d4869d --=-LBb0jj4ev4aKpIZOppIS Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Fri, 2006-05-19 at 22:03 -0400, Ned Ludd wrote: > If there is anything you or genone need to make signing happening you > have to the full support of the=20 > council That should not be difficult if the proposal is discussed and accepted by all other groups > infra it should be non-invasive and well documented > hardened/security. ... while offering good security So I suggest that infra and hardened/security warn of any problems they see, it would be silly to have a detailed battleplan only to have someone kill it at the last minute ... =3D=3D=3D=3D=3D Some short comments on robbat2's proposal: > > Summary: > > ----------- > > This is a brief summary of the suggestions and choices above. > > This summary outline is assuming a model such as the hybrid or complex > > models. > >=20 > > - Each developer shall have a GnuPG key. > > - Each developer key shall contain at least one uid, with name and Gent= oo email > > address of the developer. > > - Each developer must create a secondary cryptokey with the following > > parameters (designated as their Gentoo signing cryptokey): > > Key Type: RSA > > Key Length: 2048 or 4096 > > Expiry time: Set at 6 months out > > Usage: Marked as signing only. I think these parameters are acceptable. I can't think of compelling technical reasons to change them. > > - Each developer shall regularly update the expiry time (GnuPG enforces > > this) of the cryptokey, keeping it no further than 6 months ahead of > > the present date, except where otherwise decided. Enforcing this will be difficult, so I think it should be seen as a strong guideline (we can't stop you, but please don't mess up) > > - Each developer should have a revocation certificate for their key, an= d > > store two copies in a secure offline location (I suggest two CD-RWs, > > of different brands, stored in separate locations, refreshed every 6 > > months, but floppy disks would work as well). No way to enforce this > > - Each developer will sign all of their commits with their Gentoo > > signing cryptokey only. They should not sign anything else, nor use > > other cryptokeys for signing Gentoo commits. > > - (Optional, for those creating new keys only) a best practice would be > > to have a primary key that is marked as certifying only. Sounds reasonable =20 > > (This part here needs more discussion, which may end up that N=3D1 is > > valid). > > - There will be N master keys.=20 For N>1: who controls the master keys? > > - A master key will have a secondary cryptokey conforming to the same > > requirements as the developer Gentoo signing cryptokey. > > - A master key will certify all Gentoo developer keys on a regular > > basis. This can be done on 4 month intervals safely, with once-off > > events to sign keys of incoming developers, or other special cases. Why not sync this to the 6 month expiry time? Also you might want to add: - All keys and the master key shall be made available on Gentoo media (install-cd etc) and other ressources (ebuilds, download from known locations, stored on public keyservers) > > - When a developer leaves, the certification on their key shall be > > revoked. > > - Both infra and the council should hold the revocation control for a > > master key in some way so that cooperation is needed to actually revo= ke > > a master key. This will be very tricky to implement.=20 > > (For future stuff:) > > For performing releases of Gentoo (releng), a designated key be used, > > and be certified by the master key. This should be discussed with releng. While I don't see why they should disagree I dislike forcing any policy on others. =20 > > Outstanding points: > > ------------------- > > - Discussion of how the keymaster(s) should operate to maintain the > > keyring. Plus, of course, what to sign, how to sign it, how to handle failures. Patrick --=20 Stand still, and let the rest of the universe move --=-LBb0jj4ev4aKpIZOppIS Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3-ecc0.1.6 (GNU/Linux) iD8DBQBEbxO+qER3hOUoZM4RAj9RAKCLdsY8g6XVcEHq9hPdWuO9g/zlqACZAe80 TXWI7/qtMwJ/3wokOZDLWcs= =F3Id -----END PGP SIGNATURE----- --=-LBb0jj4ev4aKpIZOppIS-- -- gentoo-dev@gentoo.org mailing list