[prev in list] [next in list] [prev in thread] [next in thread] 

List:       qubes-devel
Subject:    Re: [qubes-devel] PSA: keep your code signing keys inaccessible to email clients
From:       Marek =?utf-8?Q?Marczykowski-G=C3=B3recki?= <marmarek () invisiblethingslab ! com>
Date:       2018-05-16 15:12:14
Message-ID: 20180516151214.GA11683 () mail-itl
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Mon, May 14, 2018 at 11:37:03AM -0400, Jean-Philippe Ouellet wrote:
> On Mon, May 14, 2018 at 11:28 AM, Konstantin Ryabitsev
> <konstantin@linuxfoundation.org> wrote:
> > On 05/14/18 11:20, Jean-Philippe Ouellet wrote:
> > > Shouldn't be terribly surprising to this crowd, but: https://efail.de/
> > > 
> > > Simply using split-pgp does *NOT* protect you against this, especially
> > > if you have agent authorization with a non-zero timeout.
> > > 
> > > The immediate impact on Qubes developers is that one should use
> > > separate keys for email and code signing, have your secret keys in
> > > separate split-gpg backend domains, and not allow any VM with an email
> > > client to make requests to the VM holding your code-signing keys. In
> > > other words, have disjoint sets of development and communication
> > > domains.
> > 
> > Not that it's a wrong recommendation, but the efail stuff is not about
> > exposing keys -- it's a way to leak cleartext via HTML messages. There
> > is no way efail would allow leaking someone's signing keys.
> > 
> > Regards,
> 
> Ah, indeed. You're right.
> 
> Still though.

Even if this issue doesn't allow to steal private keys, we do have
separate keys for code signing. Generally our policy for keys included
in qubes-builder/qubes-developers-keys.asc is:
1. Key generated and stored in dedicated VM, using split gpg.
2. Key used solely for Qubes OS code signing (not even just code
   signing)
3. Separate devel VM with access to that key (qubes.Gpg service policy).

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlr8Sk0ACgkQ24/THMrX
1ywAuwgAmtCL6HKf05q3nWrfB6ETnn6PK5vGJy8eDv0wNyf23NQ8jHh0Nf9nUSB4
hjpuhMpjVY4IRfeKNmNdp55d5bljzV1ArZpM+00sicZrciFU+i1XoRCtVNxuiaZC
pfIEkKp2ymNuESUiJ15c8lK//VQD/NS8OaziwdP1er1mNPcyEy7vXTvpx84i7xRB
c/WgTA3PTjHqoVN2AoXkzSoFXjbBbJhCOpH1Maov/jvNoyFXZv0Xm/CUXb2NY9Fo
E8EmhO8wd+zR73YRK/OEZ3/ZZX8tOqUGdkmyAvNa3v2b4eIzrtbyhfCuVjDs6F/h
yoKSCek8Nbym0qX8K8bfUgrj+OHDLA==
=g+eQ
-----END PGP SIGNATURE-----

-- 
You received this message because you are subscribed to the Google Groups \
"qubes-devel" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to qubes-devel+unsubscribe@googlegroups.com. To post to this group, \
send email to qubes-devel@googlegroups.com. To view this discussion on the web visit \
https://groups.google.com/d/msgid/qubes-devel/20180516151214.GA11683%40mail-itl. For \
more options, visit https://groups.google.com/d/optout.


[prev in list] [next in list] [prev in thread] [next in thread]