Re: Keys/Signature use in OSTree/Flatpak/Flathub

From: Colin Walters <walters verbum org>
To: ostree-list gnome org
Subject: Re: Keys/Signature use in OSTree/Flatpak/Flathub
Date: Tue, 04 Oct 2016 10:55:13 -0400

On Fri, Sep 30, 2016, at 09:36 AM, Alexander Larsson wrote:

Walters, I know your current plans are more about relying on SSL+cert
pinning for metadata. What are your opinions on something more complex
like this?


It's a huge amount of work, not just to implement in code, but also in
maintenance for server operators.

Currently, Docker Notary is an implementation of TUF, and it's worth
looking at their docs:

https://docs.docker.com/notary/running_a_service/
https://docs.docker.com/notary/service_architecture/

And really if you look at the list of TUF implementations:
https://theupdateframework.github.io/

They are pretty much all either design discussions or prototypes,
but not production.

I don't disagree that TUF has a strong threat model, but what I would
say broadly is that if you compare it with pubkey-pinned TLS to a centralized
metadata server, a lot of the advantages drop away.

For example, I'd say cert-pinned TLS addresses the "freeze attack". 

There are already *lots* of tools to manage TLS certificates, and
browser-side infrastructure like https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning

So basically I assert that combining two well known and proven technologies:

- GPG signatures for *static* assertions (yes, no revocation, but that's
  just how it works and everyone understands that)
  (Alternatively, one can use something other than GPG, like alpine's
  use of simple ed25519 signatures)
- pubkey-pinned TLS to a centralized (metadata) server

Mostly addresses the TUF threat model.

Follow-Ups:
- Re: Keys/Signature use in OSTree/Flatpak/Flathub
  - From: Alexander Larsson

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]