Hi,
Philip McGrath schreef op za 08-01-2022 om 11:37 [-0500]:
This sounds like HTTP Public Key Pinning (HPKP).[1] AIUI, HTTP Public
Key Pinning was deprecated, and support has been removed from major
browser engines by January 2020.[2][3][4] While it seemed like a good
idea for reasons like the ones you list, apparently it not only proved
very difficult for site administrators to configure, with severe
consequences for mistakes, it also enabled potential ransomware attacks
and other bad stuff.[6]
I never followed this feature closely and don't have a strongly-held
opinion on the merits, but, if the "web platform" has deprecated this
feature---more concretely, if it is Considered Harmful by sysadmins and
servers are configured with the expectation that no one does this any
more---I don't think it would improve reliability for Guix to
unilaterally revive HPKP.
It does instead sound like HPKP -- however, what I proposed is in some
sense the inverse of HPKP:
Instead of a webserver telling the client to pin a certain key, the
client has pinned a certain key in advance. So pinning is Guix'
responsibility, not the web server's.
What I propose is more close to ‘certificate pinning’ (actually
public key pinning), see e.g.
<https://blogs.fsfe.org/jens.lechtenboerger/2014/03/10/certificate-pinning-with-gnutls-in-the-mess-of-ssltls/>.
Even then, it's a bit different: the certificate of the server must
be correct according to both the root CAs in $SSL_CERT_DIR
AND the pin list.
That said, let's not use pins when doing "guix pull",
"guix perform-download" or "guix substitute" because "guix pull"
is rather essential and the guix used as the daemon is rarely
updated -- temporarily breaking "guix refresh", "guix download"
or "guix import" is much less a problem.
* Does the fact that web browsers deprecated HPKP matter?
I don't think so. E.g. [5] says that
‘However, this exposes as part of the Open Web Platform considerations
that are external to it: specifically, the choice and selection of CAs
is a product-level security decision made by browsers or by OS vendor,
and the choice and use of sub-CAs, cross-signing, and other aspects of
the PKI hierarchy are made independently by CAs.’
I think that "guix download/refresh/import" qualifies as ‘product level’,
or ‘browser’ here, and that Guix qualifies as OS vendor.
I don't think that the bit about sub-CAs, cross-signing, etc. is relevant
here: we pin public keys, not CAs, and the public key pin can be adjusted
whenever the website decided to use another public key -- albeit with
a (hopefully brief?) period where it is temporarily inaccessible to
"guix download/refresh/import".