guix-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Public key pinning in guix?

From: Philip McGrath
Subject: Re: Public key pinning in guix?
Date: Sat, 8 Jan 2022 11:37:30 -0500
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.3.1 
Hi,

On 1/7/22 16:24, Maxime Devos wrote:

The purpose is to resist a compromise of the CA system. More
concretely, if you now do "guix refresh -u minetest-moreores"
then a MITM that compromised a CA cannot secretly replace
minetest-moreores with a mod that mines bitcoin for the MITM,
or something.

Possibly also useful for "guix download", "guix import", "guix lint",
"guix build --with-latest=...".

A downside is that whenever content.minetest.net changes public keys,
the pinned public key in Guix needs to be updated. How often does this
happen? I wouldn't now. This could be partially automated with
a "./pre-inst-env guix update-the-pinned-keys" script, and there could
be an "GUIX_IGNORE_KEY_PINNING=yes" environment variable as escape
hatch.

WDYT, worth the trouble or not?
This sounds like HTTP Public Key Pinning (HPKP).[1] AIUI, HTTP Public Key Pinning was deprecated, and support has been removed from major browser engines by January 2020.[2][3][4] While it seemed like a good idea for reasons like the ones you list, apparently it not only proved very difficult for site administrators to configure, with severe consequences for mistakes, it also enabled potential ransomware attacks and other bad stuff.[6]
I never followed this feature closely and don't have a strongly-held opinion on the merits, but, if the "web platform" has deprecated this feature---more concretely, if it is Considered Harmful by sysadmins and servers are configured with the expectation that no one does this any more---I don't think it would improve reliability for Guix to unilaterally revive HPKP. 

-Philip

[1]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning
[2]: https://scotthelme.co.uk/hpkp-is-no-more/
[3]: http://web.archive.org/web/20200618234723/https://www.fxsitecompat.dev/en-CA/docs/2019/http-public-key-pinning-is-no-longer-supported/ 
[4]: https://chromestatus.com/feature/5903385005916160
[5]: https://groups.google.com/a/chromium.org/g/blink-dev/c/he9tr7p3rZ8/m/eNMwKPmUBAAJ 
[6]: https://scotthelme.co.uk/using-security-features-to-do-bad-things/
reply via email to
[Prev in Thread] Current Thread [Next in Thread]