Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Discuss how to manage online and offline keys #4

Merged
merged 7 commits into from
Oct 9, 2019
Merged

Discuss how to manage online and offline keys #4

merged 7 commits into from
Oct 9, 2019

Conversation

trishankatdatadog
Copy link
Collaborator

More juicy details

lukpueh
lukpueh reviewed Oct 7, 2019
View reviewed changes
pep-0458.txt Outdated Show resolved Hide resolved
lukpueh
lukpueh reviewed Oct 7, 2019
View reviewed changes
pep-0458.txt Outdated Show resolved Hide resolved
lukpueh
lukpueh reviewed Oct 7, 2019
View reviewed changes
pep-0458.txt Outdated Show resolved Hide resolved
lukpueh
lukpueh reviewed Oct 7, 2019
View reviewed changes
Copy link
Member

@lukpueh lukpueh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Please fix one typo and consider my other two style suggestions.

lukpueh
lukpueh reviewed Oct 7, 2019
View reviewed changes
pep-0458.txt Show resolved Hide resolved
JustinCappos
JustinCappos reviewed Oct 7, 2019
View reviewed changes
pep-0458.txt Outdated
@@ -504,22 +491,110 @@ MUST be offline and independent of other keys. For simplicity of key
management, without sacrificing security, it is RECOMMENDED that the keys of
the *targets* role be permanently discarded as soon as they have been created
and used to sign for the role. Therefore, the *targets* role SHOULD require
(1, 1) keys. Again, this is because the keys are going to be permanently
(2, 3) keys. Again, this is because the keys are going to be permanently
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we're discarding, why 2,3?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So that a key generation weakness is hopefully not fatal

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How does 2,3 help more than 2,2 or 3,3 if we're tossing the keys? I'm not sure I understand the threshold rationale. Should we clarify / change this? I'm okay with 1,1 or 2,2 or really anything given this is PEP 458.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, I see the point of contention now. Yes, (2, 2) should be reasonable.

JustinCappos
JustinCappos reviewed Oct 7, 2019
View reviewed changes
pep-0458.txt Outdated
__ https://github.com/secure-systems-lab/securesystemslib/pull/170

Regardless of where and how this online key is kept, its use SHOULD be
carefully logged, monitored, and audited.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If so, separating keys may make these tasks easier (especially timestamp from snapshot from all bin keys).

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe, but for little added security, just extra maintenance burden

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess this may be true. It may or may not make auditing easier to have separate keys. Would these keys be stored in hardware in any way or all software?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably all software, if I had to guess. HSMs are not cheap to buy or use.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Having said that, cloud providers have good logging and auditing capabilities these days, even if the key service is software-not-hardware-backed...

JustinCappos
JustinCappos requested changes Oct 7, 2019
View reviewed changes
Copy link

@JustinCappos JustinCappos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Inline comments should be looked at.

@mnm678 mnm678 mentioned this pull request Oct 8, 2019
Closed
@trishankatdatadog
Copy link
Collaborator Author

@JustinCappos Hopefully the latest commit clarifies your two questions?

JustinCappos
JustinCappos approved these changes Oct 9, 2019
View reviewed changes
Copy link

@JustinCappos JustinCappos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@JustinCappos JustinCappos merged commit 2bf2c95 into secure-systems-lab:master Oct 9, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lukpueh lukpueh lukpueh left review comments

@JustinCappos JustinCappos JustinCappos approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@trishankatdatadog @lukpueh @JustinCappos