From: "Michał Górny" <mgorny@gentoo.org>
To: gentoo-dev@lists.gentoo.org
Subject: Re: [gentoo-dev] [PATCH] glep-0063: Allow a single primary/signing key for smartcards
Date: Thu, 25 Apr 2019 15:03:12 +0200 [thread overview]
Message-ID: <a8c29ae8464c6112595b15bd9c5737f92fe27c15.camel@gentoo.org> (raw)
In-Reply-To: <CAGfcS_ncvXH5NVQb=hx-4GR=woR_4amSJv99E=CMyHUusb-Heg@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 1996 bytes --]
On Thu, 2019-04-25 at 07:32 -0400, Rich Freeman wrote:
> The intent of the separate primary key is to reduce the risk of it
> being compromised by keeping it offline. However, if it were
> generated on a smartcard it would be exclusively be maintained
> offline, so it is counterproductive to require that it be generated
> online and then recommend that it be kept offline after this.
> Additionally this key needs to be brought back online anytime the key
> expiration is updated, which is at least annually.
You seem to be using 'offline' in two different meanings here. Yes,
smartcard technically prevents the PC from *reading* the secret key
material. However, it isn't really 'offline' as the PC can *use*
the secret key material.
In the scenario of Gentoo development, the primary use of the 'signing
slot' key is to sign commits, pushes and messages, a lot. This means
that for practical reasons you need to disable 'forcesig', or you'll
have to repeatedly enter PIN for every commit made, for every message
sent and twice for every push. If you include the extra delay due to
that, and the necessity of rebasing, you may end up being unable to
commit otherwise.
Now, the smartcard can't (or doesn't -- I haven't looked into
the details) distinguish the signing usage vs certification usage.
In other words, once you unlock the key e.g. to sign a commit, any
program can freely use the card to sign any key or subkey, without even
raising your suspicion.
To summarize, there is still a major benefit to keeping the primary key
offline -- as in, not normally accessible to the system. Whether you do
it via keeping the key on an offline system, on a dedicated smartcard
that is normally disconnected or in a dedicated smartcard slot that
requires PIN for *every* certification made, doesn't matter that much.
However, when you open it to direct abuse when using it to sign commits,
it is not 'offline'.
--
Best regards,
Michał Górny
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 963 bytes --]
prev parent reply other threads:[~2019-04-25 13:03 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-25 11:32 [gentoo-dev] [PATCH] glep-0063: Allow a single primary/signing key for smartcards Rich Freeman
2019-04-25 12:26 ` Marek Szuba
2019-04-25 12:55 ` Mikle Kolyada
2019-04-25 13:03 ` Michał Górny [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a8c29ae8464c6112595b15bd9c5737f92fe27c15.camel@gentoo.org \
--to=mgorny@gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox