Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider setting an expiry date for the Submission Key #1139

Closed
tildelowengrimm opened this issue Oct 14, 2015 · 5 comments
Closed

Consider setting an expiry date for the Submission Key #1139

tildelowengrimm opened this issue Oct 14, 2015 · 5 comments
Labels
needs/discussion queued up for discussion at future team meeting. Use judiciously. ops/deployment security

Comments

@tildelowengrimm
Copy link

The SecureDrop Application GPG Key is not currently set to expire. Is that the right choice? It might be.
@conorsch
Copy link
Contributor

Given that the SecureDrop Application GPG Key (see #1138 for discussion of standardizing on unambiguous terminology) should never be published to keyservers, setting no expiration is more reasonable than the same practice would be for published personal keys.

That said, I can see a reasonable limit of five years or so, which would open the door to a general recommendation that all GPG keys created during SecureDrop setup (for example, journalist GPG keys for email, admin GPG keys for OSSEC alerts and communicating with FPF staff) be set to the same limit. Mostly we've abstained from recommending a similar limit on the SecureDrop Application GPG Key to ease the maintenance burden for long-running instances, but encourage best practices in GPG use is probably a more appropriate goal for the docs.

@garrettr, thoughts?

@heartsucker
Copy link
Contributor

should never be published to keyservers

I don't think it's wise to rely on this assumption. And in fact, it might even be good to have the admins sign the public key and push it so that sources can pre-encrypt things and maybe even somewhat verify the identity of the application server.

We should tell people to set it to 1 or 2 years and specify that they need to update it occasionally. We have the endpoint that lets users download the key, and FPF could use to check that no keys are about to expire and if so send 30/15/7/3/2/1 day notices telling people to extend their key's life time.

@ageis
Copy link
Contributor

ageis commented Jul 24, 2019

I agree with everyone else—better to have an expiration than none.

@eloquence eloquence changed the title Key expiration Consider setting an expiry date for the Submission Key Jun 12, 2020
@eloquence eloquence added the needs/discussion queued up for discussion at future team meeting. Use judiciously. label Jun 12, 2020
@eloquence
Copy link
Member

eloquence commented Jun 12, 2020
edited
Loading

I'm pretty skeptical about the value of introducing key expiry for the Submission Key:

  • Publication of Submission Public Keys to keyservers significantly complicates the maintenance story for admins.
  • Rotating keys manually on a regular basis significantly complicates the maintenance story for admins.
  • Having to poke news orgs regularly because of key expiry issue significantly complicates the support story for FPF.

As for the value of publishing the key in additional venues for pre-encryption, this is only likely to be used by a (perhaps vanishingly) small minority of sources.

IMO the place to revisit this story is the discussion around end-to-end encryption (#92) or a shift away from GPG altogether.

@eloquence
Copy link
Member

Closing per above, feel free to re-open if you want to make a strong counterargument.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs/discussion queued up for discussion at future team meeting. Use judiciously. ops/deployment security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@eloquence @tildelowengrimm @conorsch @ageis @heartsucker