On 11-08-2022 13:17, Tobias
Geerinckx-Rice wrote:
Apologies if I'm wildly off the mark here. But then I'd like to hear some plausible threat models. Maxime?
Here's a problem with allowing subkeys, if that's what you mean:
- Expiration times and GPG-level revocation must be ignored (for
time-travel, and pulling from an old Guix), similarly to why it
must be ignored for when no subkeys are used
- Someone used to GPG-style subkeys generates a new subkey to
replace old expired subkey or revokes old subkey, without
keeping in mind that Guix doesn't take that in account.
- An attacker uses a compromised-but-revoked-or-expired subkey
to compromise the channel.
Expiration times might be solvable by taking the commit time of
the previous commit as 'current time' (not the commit that was
signed, otherwise an attacker could just lie). I don't know a
solution for GPG-level revocation of old subkeys but I haven't
looked either.
Another problem:
- When replacing the key in the 'keyring' branch with an
'updated' key that contains the new subkey, we have to be
careful to never remove old subkeys, to avoid breaking time
travel or pulling from old versions.
Greetings,
Maxime.