Re: Review of obs-sign

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2014-05-23 at 09:18 -0400, Matthew Miller wrote:
> On Fri, May 23, 2014 at 10:17:03AM +0200, Miroslav Suchý wrote:
> > Hi guys,
> > I would like to use obs-sign for signing packages in Copr.
> 
> More generally, it'd be nice to have security review of this plan:
> https://lists.fedoraproject.org/pipermail/infrastructure/2014-May/014345.html

As far as I understand the plan in that e-mail is:
"What we can have is have signing machine in VM with restrictive SW
defined network. If that VM can be only one VM on 
host, then it would be great."
That's really minimal information there. Is there a smart card being
used? Where do the keys reside? What is the impact of a key leakage? 

Any way let me define some criteria:
1. audit (find out what was signed in time)
2. keys must not be exportable (no-one should get those keys)

I've not mentioned accountability as I understand that only one user
signs.

For (2) I'd note that the most embarrassing issue on diginotar failure
was the fact that they had no log of what was signed. Depending on the
impact of such a leak, this may or may not be important.

For (2) I don't think a VM satisfies the isolation from the internet,
and cannot protect the keys. If the VM resides on a developer's machine,
one may just copy it over the internet. On similar designs the keys are
stored externally (smart cards or HSMs), and locked somewhere when not
in use.

regards,
Nikos


--
security mailing list
security@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/security





[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Coolkey]

  Powered by Linux