[Freedombox-discuss] PGP Keyserver

Subject: [Freedombox-discuss] PGP Keyserver
From: eugen@leitl.org (Eugen Leitl)
Date: Mon, 12 Dec 2011 11:42:04 +0100
Message-id: <[🔎] 20111212104204.GA31847@leitl.org>
In-reply-to: <[🔎] 87fwgtwqvy.fsf@wyzanski.jamesvasile.com>
References: <[🔎] 2E275A81CB21409A884041B5E7FFA5EA@SUZIE> <[🔎] 87liqlwtnt.fsf@wyzanski.jamesvasile.com> <[🔎] 20111209173614.GM31847@leitl.org> <[🔎] 87fwgtwqvy.fsf@wyzanski.jamesvasile.com>

On Fri, Dec 09, 2011 at 01:18:09PM -0500, James Vasile wrote:
> On Fri, 9 Dec 2011 18:36:14 +0100, Eugen Leitl <eugen at leitl.org> wrote:
> > On Fri, Dec 09, 2011 at 12:18:14PM -0500, James Vasile wrote:
> > 
> > > Key servers are public.  You don't want to put your private key on one.
> > > If you want to move your keyring from one machine to another, you can
> > > copy over the .gnupg directory.
> > 
> > By the way, what is the plan to manage the code-signing root?
> > Obviously freedomboxes would be really juicy MITM targets, so
> > what kind of physical security and compartment separation
> > for secrets are you planing?
> 
> Physical security of end user FreedomBoxes is beyond our scope.

No, I meant how will you handle the signing key for your packages.
Because of the sensitive nature there will be considerable incentives
on part of many to get hold of the master key (both to 0wn
individual freedomboxes or to mass-brick the entire alternet by
compromising the depositories and publishing correctly signed
malicious security updates).

I strongly suggest that handling of the code-signing and secret-handling
part will be given some thought. Both physical security and whether
the signing will be done on air-gapped machines or at least in provably
secured compartments.

> Separating secrets is a hard one to plan until we know better what
> secrets there are and how apps will want to access them.  Our approach
> to MITM attacks is to use GPG to verify identity wherever we can.

I presume if not opportunistic end-to-end encryption between boxes
there will be VPN tunnels (OpenVPN or tinc). SSL cert fingerprints
should be cached and given treatment like Firefox' Certificate
Patrol/Convergence.

Particularly, if you're occupying the same ecologic niche as
Facebook you have access to social graph information to verify trust by
out of band signalling ("hey, your snakeoil cert fingerprint
just changed, what's up?").

> > 
> > How are software updates planned, for that matter? Self-hosted
> > via p2p or regular Debian depositories?
> 
> So far, the plan is to use the regular Debian mirror network, with sign
> off from Bdale.

Will Bdale be the guy in charge of the signing key?

-- 
Eugen* Leitl <a href="http://leitl.org";>leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

Reply to:

References:
- [Freedombox-discuss] PGP Keyserver
  - From: fiftyfour@waldevin.com (John Walsh)
- [Freedombox-discuss] PGP Keyserver
  - From: vasile@freedomboxfoundation.org (James Vasile)
- [Freedombox-discuss] PGP Keyserver
  - From: eugen@leitl.org (Eugen Leitl)
- [Freedombox-discuss] PGP Keyserver
  - From: vasile@freedomboxfoundation.org (James Vasile)

Prev by Date: [Freedombox-discuss] freedomboxblog.nl partially black-listed by Google
Next by Date: [Freedombox-discuss] Fwd: [liberationtech] Neelie Kroes launched No Disconnect Strategy with copy paste minister Karl Theodor zu Guttenberg
Previous by thread: [Freedombox-discuss] PGP Keyserver
Next by thread: [Freedombox-discuss] PGP Keyserver
Index(es):
- Date
- Thread