Qubes - Revocation of the Qubes Signing Key
55 views
Skip to first unread message
Me
Nov 21, 2016, 11:00:12 AM11/21/16
to qubes...@googlegroups.com
Do Qubes have any intention of following in the footsteps of TAILS as
proposed below:
[ see link
https://tails.boum.org/doc/about/openpgp_keys/signing_key_revocation/index.en.html
]
This document proposes a mechanism for the distribution and activation
of the revocation certificate of the Tails signing key.
Goals
Covered by current proposal:
Prevent any single individual from revoking our signing key.
Allow a coalition of people from ta...@boum.org to revoke our
signing key in case most of the people from ta...@boum.org become
unavailable.
Allow a coalition of people, not necessarily from ta...@boum.org, to
revoke our signing key in case everybody or almost everybody from
ta...@boum.org becomes unavailable.
Make it hard for a coalition of people not from ta...@boum.org to
revoke our signing key unless everybody or almost everybody from
ta...@boum.org becomes unavailable.
People not from ta...@boum.org shouldn't know how the shares are
spread and who has them.
People in possession of a share of the signing key should have
instructions on how to use it if needed.
Groups
We define four complementary groups of trusted people:
Group A: people from ta...@boum.org themselves
Group B
Group C
Group D
All these people should have an OpenPGP key and understand what a
revocation certificate is.
Cryptographic shares
We generate a revocation certificate of the signing key and split it
into a number of cryptographic shares, using for example Shamir's secret
sharing scheme implemented by gfshare.
The following combinations of people could get together and reassemble
their shares to reconstruct a complete revocation certificate:
Three people from ta...@boum.org: A{3}
Two people from ta...@boum.org and one person not from
ta...@boum.org: A{2}+(B|C|D)
One person from ta...@boum.org, and two people not from
ta...@boum.org but from two different groups: A+(B|C|D){2}
Three people not from ta...@boum.org but from three different
groups: (B+C+D){3}
We generate these shares:
N shares, one for each person from ta...@boum.org
1 share for people in group B
1 share for people in group C
1 share for people in group D
Who knows what
People from ta...@boum.org know the composition of each group
People not from ta...@boum.org:
Are explained in which circumstances they should revoke the
signing key
Are told to write to a certain contact email address if they
decide to revoke the signing key
Are told that they need three different shares to reassemble the
revocation certificate
Infrastructure
Everybody who owns a share is subscribed to a mailing list.
This mailing list is hosted on a trusted server different from
boum.org to be more resilient than our usual communication channels.
Changing the members of the groups B, C, or D
To add someone to a given group:
Request someone from that group to send her share to the new person
in the group.
To remove someone from a given group:
Send new shares to everybody except to the person who is being removed.
Request everybody to delete their previous share and track this.
Once everybody in 2 groups amongst B, C, or D have deleted their share,
it becomes impossible for them to reassemble the revocation certificate
with the previous set of shares.
Let's hope that this doesn't happen very often :)
Expiry
There is no expiry date on revocation certificates. One way of
cancelling the revocation power is to destroy all copies of shares of 2
groups amongst B, C, or D.
proposed below:
[ see link
https://tails.boum.org/doc/about/openpgp_keys/signing_key_revocation/index.en.html
]
This document proposes a mechanism for the distribution and activation
of the revocation certificate of the Tails signing key.
Goals
Covered by current proposal:
Prevent any single individual from revoking our signing key.
Allow a coalition of people from ta...@boum.org to revoke our
signing key in case most of the people from ta...@boum.org become
unavailable.
Allow a coalition of people, not necessarily from ta...@boum.org, to
revoke our signing key in case everybody or almost everybody from
ta...@boum.org becomes unavailable.
Make it hard for a coalition of people not from ta...@boum.org to
revoke our signing key unless everybody or almost everybody from
ta...@boum.org becomes unavailable.
People not from ta...@boum.org shouldn't know how the shares are
spread and who has them.
People in possession of a share of the signing key should have
instructions on how to use it if needed.
Groups
We define four complementary groups of trusted people:
Group A: people from ta...@boum.org themselves
Group B
Group C
Group D
All these people should have an OpenPGP key and understand what a
revocation certificate is.
Cryptographic shares
We generate a revocation certificate of the signing key and split it
into a number of cryptographic shares, using for example Shamir's secret
sharing scheme implemented by gfshare.
The following combinations of people could get together and reassemble
their shares to reconstruct a complete revocation certificate:
Three people from ta...@boum.org: A{3}
Two people from ta...@boum.org and one person not from
ta...@boum.org: A{2}+(B|C|D)
One person from ta...@boum.org, and two people not from
ta...@boum.org but from two different groups: A+(B|C|D){2}
Three people not from ta...@boum.org but from three different
groups: (B+C+D){3}
We generate these shares:
N shares, one for each person from ta...@boum.org
1 share for people in group B
1 share for people in group C
1 share for people in group D
Who knows what
People from ta...@boum.org know the composition of each group
People not from ta...@boum.org:
Are explained in which circumstances they should revoke the
signing key
Are told to write to a certain contact email address if they
decide to revoke the signing key
Are told that they need three different shares to reassemble the
revocation certificate
Infrastructure
Everybody who owns a share is subscribed to a mailing list.
This mailing list is hosted on a trusted server different from
boum.org to be more resilient than our usual communication channels.
Changing the members of the groups B, C, or D
To add someone to a given group:
Request someone from that group to send her share to the new person
in the group.
To remove someone from a given group:
Send new shares to everybody except to the person who is being removed.
Request everybody to delete their previous share and track this.
Once everybody in 2 groups amongst B, C, or D have deleted their share,
it becomes impossible for them to reassemble the revocation certificate
with the previous set of shares.
Let's hope that this doesn't happen very often :)
Expiry
There is no expiry date on revocation certificates. One way of
cancelling the revocation power is to destroy all copies of shares of 2
groups amongst B, C, or D.
Andrew David Wong
Nov 25, 2016, 9:27:34 AM11/25/16
to Me, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 11/21/16 07:46, Me wrote:
> Do Qubes have any intention of following in the footsteps of TAILS as
> proposed below:
> [...]
This is a good idea. Tracking it here:
https://github.com/QubesOS/qubes-issues/issues/2459
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJYOEpMAAoJENtN07w5UDAwa3YQAL+lkWgR8klU70/J098lPTUU
sY0nin+jMUa7VATfShZoZT6fR+sfaWT90HCGHkEAQiO8iIP+qYk19+B/GxYUi0SC
JwK0pMn2rlo7phtAteLui5znPam25j0T9bfDZOdk7pMpSihSj6OXbqcXa6aeRImd
K5zciq2BedP+cjmq1INHbWf5fscoqGh0cRlydYbwWDrQ92bEWflTvrqExLaGTqhN
n8Bg0ceEVdz7YQjhc9rKDslOfgVVwzEaqqpU+luI91tXG04KLIgJxC8mSgnB7e1O
bC/ImjzqmUIbd3O4Xcy8v8XzgliPlzGc50GzyBFVAwLr5ZjjEGEwU5Z+v/kmlG99
8T1JF7utjuuPCFzdrht5p/+6WMN0G2qIJzrqE1QMOMJbjZspjSvIumLEHVQx2TOQ
ZkkwWlzd8JqCSIoSYJpPD1gTjn6NjCEdMshy/pISHCdocC7cWZdEIIGSv4NgowCY
q0eX0zp4CRbnkcbcnP9b19HZInAkkay9b6Mi1s7wifzRG7z7MNnieuSAXnVeuIn5
d9QunG7bElzG2ls5oD4e08sCN4vcEaPxgiVh9QgbZzROOSdWqmsfYbJxMULd6Zht
CGWMuBPZs2NRKTUC0/yqoBllHLTEwmCHDnF5O4iCRjcBgZ/qj8rN6cVBK3DCqGG1
5X+SqllKC9PHO40m7NTw
=EPCo
-----END PGP SIGNATURE-----
Hash: SHA512
On 11/21/16 07:46, Me wrote:
> Do Qubes have any intention of following in the footsteps of TAILS as
> proposed below:
This is a good idea. Tracking it here:
https://github.com/QubesOS/qubes-issues/issues/2459
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJYOEpMAAoJENtN07w5UDAwa3YQAL+lkWgR8klU70/J098lPTUU
sY0nin+jMUa7VATfShZoZT6fR+sfaWT90HCGHkEAQiO8iIP+qYk19+B/GxYUi0SC
JwK0pMn2rlo7phtAteLui5znPam25j0T9bfDZOdk7pMpSihSj6OXbqcXa6aeRImd
K5zciq2BedP+cjmq1INHbWf5fscoqGh0cRlydYbwWDrQ92bEWflTvrqExLaGTqhN
n8Bg0ceEVdz7YQjhc9rKDslOfgVVwzEaqqpU+luI91tXG04KLIgJxC8mSgnB7e1O
bC/ImjzqmUIbd3O4Xcy8v8XzgliPlzGc50GzyBFVAwLr5ZjjEGEwU5Z+v/kmlG99
8T1JF7utjuuPCFzdrht5p/+6WMN0G2qIJzrqE1QMOMJbjZspjSvIumLEHVQx2TOQ
ZkkwWlzd8JqCSIoSYJpPD1gTjn6NjCEdMshy/pISHCdocC7cWZdEIIGSv4NgowCY
q0eX0zp4CRbnkcbcnP9b19HZInAkkay9b6Mi1s7wifzRG7z7MNnieuSAXnVeuIn5
d9QunG7bElzG2ls5oD4e08sCN4vcEaPxgiVh9QgbZzROOSdWqmsfYbJxMULd6Zht
CGWMuBPZs2NRKTUC0/yqoBllHLTEwmCHDnF5O4iCRjcBgZ/qj8rN6cVBK3DCqGG1
5X+SqllKC9PHO40m7NTw
=EPCo
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages