Qubes Security Team Update
50 views
Skip to first unread message
Andrew David Wong
Nov 5, 2018, 9:29:51 PM11/5/18
to qubes...@googlegroups.com, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Dear Qubes Community,
As we recently announced, Joanna Rutkowska [01] has turned over
leadership of the Qubes OS Project to Marek Marczykowski-Górecki [02]
(see Joanna's announcement [03] and Marek's announcement [04]). In this
post, we'll discuss the implications of these changes for the Qubes
Security Team and how we're addressing them.
What is the Qubes Security Team?
- --------------------------------
The Qubes Security Team (QST) [05] is the subset of the Qubes Team [06]
that is responsible for ensuring the security of Qubes OS and the Qubes
OS Project. In particular, the QST is responsible for:
- Responding to reported security issues [07]
- Evaluating whether Xen Security Advisories (XSAs) [08] affect the
security of Qubes OS
- Writing, applying, and/or distributing security patches to fix
vulnerabilities in Qubes OS
- Writing, signing, and publishing Qubes Security Bulletins (QSBs) [09]
- Writing, signing, and publishing Qubes Canaries [10]
- Generating, safeguarding, and using the project's PGP keys [11]
As a security-oriented operating system, the QST is fundamentally
important to Qubes, and every Qubes user implicitly trusts the members
of the QST by virtue of the actions listed above.
How does the recent change in leadership affect the QST?
- --------------------------------------------------------
Until now, the two members of the QST have been Joanna and Marek. With
Joanna's new role at the Golem Project, she will no longer have time to
function as a QST member. Therefore, Joanna will officially transfer
ownership of the Qubes Master Signing Key (QMSK) [12] to Marek, and she
will no longer sign QSBs.
However, due to the nature of PGP keys, there is no way to guarantee
that Joanna will not retain a copy of the QMSK after transferring
ownership to Marek. Since anyone in possession of the QMSK is a
potential attack vector against the project, Joanna will continue to
sign Qubes Canaries [10] in perpetuity.
With Joanna's departure from the QST, Marek would remain as its sole
member. Given the critical importance of the QST to the project,
however, we believe that a single member would be insufficient.
Therefore, after careful consideration, we have selected a new member
for the QST from among our experienced Qubes Team members: Simon Gaiser
(aka HW42) [13].
About Simon
- -----------
Simon has been a member of the Qubes Team for over two years and has
been a contributor to the project since 2014. He has worked on many
different parts of the Qubes codebase, including core, Xen, kernel, and
GUI components. Earlier this year, he joined Invisible Things Lab (ITL)
and has been gaining experience with other security projects. His
thorough knowledge of Qubes OS, ability to assess the severity of
security vulnerabilities, and experience preparing Xen patches make him
very well-suited to the QST. Most importantly, both Joanna and Marek
trust him with the responsibilities of this important role. We are
pleased to announce Simon's new role as a QST member. Congratulations,
Simon, and thank you for working to keep Qubes secure!
[01] https://www.qubes-os.org/team/#joanna-rutkowska
[02] https://www.qubes-os.org/team/#marek-marczykowski-g%C3%B3recki
[03] https://www.qubes-os.org/news/2018/10/25/the-next-chapter/
[04] https://www.qubes-os.org/news/2018/10/25/thank-you-joanna/
[05] https://www.qubes-os.org/security/#the-qubes-security-team
[06] https://www.qubes-os.org/team/
[07] https://www.qubes-os.org/security/#reporting-security-issues-in-qubes-os
[08] https://www.qubes-os.org/security/xsa/
[09] https://www.qubes-os.org/security/bulletins/
[10] https://www.qubes-os.org/security/canaries/
[11] https://keys.qubes-os.org/keys/
[12] https://www.qubes-os.org/security/verifying-signatures/#1-get-the-qubes-master-signing-key-and-verify-its-authenticity
[13] https://www.qubes-os.org/team/#simon-gaiser-aka-hw42
This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2018/11/05/qubes-security-team-update/
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAlvg/IsACgkQ203TvDlQ
MDB3Cw/+J3lLsNYqvBham/m2TBHoUWXMXa4B1cih9sUXLB1f1mE0Juo+UbdWL5Ux
D5Ql4vwdao3Ednhz7ulxV7Ala5cZXqx5WXxblYhLKSo4PJKcEeamIr+o1aJIPn18
Eq8uuAeomFoTd4tWB8cNDxg7e/giqNLl9BTAcl4awcnNl3fameEmZsoBugRhkExq
Mn4lK/tn1uJ9jg9bFE9tZGvpkQ4/S//MZRk3HMrQ79YZ73GrgfiNzN9KZWlYKpR0
LUGNZD/IN/QQsTSnYAGytKYBI6hCB3T3jU6J2wIIVWp3ii/w1LvWKnNP5RCGa7oc
5/IlA3Vx5JOdMfslI+1lP+X+hFeZkXT9uZgvXXy0QuyBbUoOTSfue/E6QDW/j4go
lAjwoaUNUfhhmMO4S1BAyQobkdl6cvUj5donon4EV8GlBdoc42Evgf6fN6OZwoC5
AYnF136upW+dQG+rj6NPLpYHDNgPmrlGVbQiZG+FSpV9UpGF3h1cFDraS2CwCC6h
pOuvjDA1ZzX4bG1hpi7L1m1ytFbQu8/6TnUVrOUb8qh/dyQOLgLaKhjCIj7bR1i5
cuwE6i+7JuKm+g8JdtNenV+U2hS2mZS+DSgXL//sXwvo47O1hjsAzN4rJiM9FXjT
iRw2bXhcMhFK3nvt2JcFtyiZP0ZtNFnHBlduV7pdctrwRoH1GVU=
=7rtv
-----END PGP SIGNATURE-----
Hash: SHA512
Dear Qubes Community,
As we recently announced, Joanna Rutkowska [01] has turned over
leadership of the Qubes OS Project to Marek Marczykowski-Górecki [02]
(see Joanna's announcement [03] and Marek's announcement [04]). In this
post, we'll discuss the implications of these changes for the Qubes
Security Team and how we're addressing them.
What is the Qubes Security Team?
- --------------------------------
The Qubes Security Team (QST) [05] is the subset of the Qubes Team [06]
that is responsible for ensuring the security of Qubes OS and the Qubes
OS Project. In particular, the QST is responsible for:
- Responding to reported security issues [07]
- Evaluating whether Xen Security Advisories (XSAs) [08] affect the
security of Qubes OS
- Writing, applying, and/or distributing security patches to fix
vulnerabilities in Qubes OS
- Writing, signing, and publishing Qubes Security Bulletins (QSBs) [09]
- Writing, signing, and publishing Qubes Canaries [10]
- Generating, safeguarding, and using the project's PGP keys [11]
As a security-oriented operating system, the QST is fundamentally
important to Qubes, and every Qubes user implicitly trusts the members
of the QST by virtue of the actions listed above.
How does the recent change in leadership affect the QST?
- --------------------------------------------------------
Until now, the two members of the QST have been Joanna and Marek. With
Joanna's new role at the Golem Project, she will no longer have time to
function as a QST member. Therefore, Joanna will officially transfer
ownership of the Qubes Master Signing Key (QMSK) [12] to Marek, and she
will no longer sign QSBs.
However, due to the nature of PGP keys, there is no way to guarantee
that Joanna will not retain a copy of the QMSK after transferring
ownership to Marek. Since anyone in possession of the QMSK is a
potential attack vector against the project, Joanna will continue to
sign Qubes Canaries [10] in perpetuity.
With Joanna's departure from the QST, Marek would remain as its sole
member. Given the critical importance of the QST to the project,
however, we believe that a single member would be insufficient.
Therefore, after careful consideration, we have selected a new member
for the QST from among our experienced Qubes Team members: Simon Gaiser
(aka HW42) [13].
About Simon
- -----------
Simon has been a member of the Qubes Team for over two years and has
been a contributor to the project since 2014. He has worked on many
different parts of the Qubes codebase, including core, Xen, kernel, and
GUI components. Earlier this year, he joined Invisible Things Lab (ITL)
and has been gaining experience with other security projects. His
thorough knowledge of Qubes OS, ability to assess the severity of
security vulnerabilities, and experience preparing Xen patches make him
very well-suited to the QST. Most importantly, both Joanna and Marek
trust him with the responsibilities of this important role. We are
pleased to announce Simon's new role as a QST member. Congratulations,
Simon, and thank you for working to keep Qubes secure!
[01] https://www.qubes-os.org/team/#joanna-rutkowska
[02] https://www.qubes-os.org/team/#marek-marczykowski-g%C3%B3recki
[03] https://www.qubes-os.org/news/2018/10/25/the-next-chapter/
[04] https://www.qubes-os.org/news/2018/10/25/thank-you-joanna/
[05] https://www.qubes-os.org/security/#the-qubes-security-team
[06] https://www.qubes-os.org/team/
[07] https://www.qubes-os.org/security/#reporting-security-issues-in-qubes-os
[08] https://www.qubes-os.org/security/xsa/
[09] https://www.qubes-os.org/security/bulletins/
[10] https://www.qubes-os.org/security/canaries/
[11] https://keys.qubes-os.org/keys/
[12] https://www.qubes-os.org/security/verifying-signatures/#1-get-the-qubes-master-signing-key-and-verify-its-authenticity
[13] https://www.qubes-os.org/team/#simon-gaiser-aka-hw42
This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2018/11/05/qubes-security-team-update/
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAlvg/IsACgkQ203TvDlQ
MDB3Cw/+J3lLsNYqvBham/m2TBHoUWXMXa4B1cih9sUXLB1f1mE0Juo+UbdWL5Ux
D5Ql4vwdao3Ednhz7ulxV7Ala5cZXqx5WXxblYhLKSo4PJKcEeamIr+o1aJIPn18
Eq8uuAeomFoTd4tWB8cNDxg7e/giqNLl9BTAcl4awcnNl3fameEmZsoBugRhkExq
Mn4lK/tn1uJ9jg9bFE9tZGvpkQ4/S//MZRk3HMrQ79YZ73GrgfiNzN9KZWlYKpR0
LUGNZD/IN/QQsTSnYAGytKYBI6hCB3T3jU6J2wIIVWp3ii/w1LvWKnNP5RCGa7oc
5/IlA3Vx5JOdMfslI+1lP+X+hFeZkXT9uZgvXXy0QuyBbUoOTSfue/E6QDW/j4go
lAjwoaUNUfhhmMO4S1BAyQobkdl6cvUj5donon4EV8GlBdoc42Evgf6fN6OZwoC5
AYnF136upW+dQG+rj6NPLpYHDNgPmrlGVbQiZG+FSpV9UpGF3h1cFDraS2CwCC6h
pOuvjDA1ZzX4bG1hpi7L1m1ytFbQu8/6TnUVrOUb8qh/dyQOLgLaKhjCIj7bR1i5
cuwE6i+7JuKm+g8JdtNenV+U2hS2mZS+DSgXL//sXwvo47O1hjsAzN4rJiM9FXjT
iRw2bXhcMhFK3nvt2JcFtyiZP0ZtNFnHBlduV7pdctrwRoH1GVU=
=7rtv
-----END PGP SIGNATURE-----
Achim Patzner
Nov 6, 2018, 6:29:24 AM11/6/18
to qubes...@googlegroups.com
Am Montag, den 05.11.2018, 20:29 -0600 schrieb Andrew David Wong:
Until now, the two members of the QST have been Joanna and Marek. WithJoanna's new role at the Golem Project, she will no longer have time tofunction as a QST member. Therefore, Joanna will officially transferownership of the Qubes Master Signing Key (QMSK) [12] to Marek, and shewill no longer sign QSBs.However, due to the nature of PGP keys, there is no way to guaranteethat Joanna will not retain a copy of the QMSK after transferringownership to Marek. Since anyone in possession of the QMSK is apotential attack vector against the project, Joanna will continue tosign Qubes Canaries [10] in perpetuity.
For professional curiosity (some of our customers run enormous corporate CAs and have to plan for the loss/breach of the private key to the root certificate) I was already looking for a document describing the process for invalidating and recreating that root of trust. Is there one? Although I believe the necessary steps to be quite expensive in the case of Qubes to invoke it right now...
Achim
Marek Marczykowski-Górecki
Nov 6, 2018, 5:24:45 PM11/6/18
to Achim Patzner, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
We don't have it documented, but we evaluated transferring master key vs
generating new one, including splitting it in parts[1].
This is slightly different scenario, as the old key wasn't really
compromised and also is available (so can be used to cross-sign new
one). This means we could probably automate replacing it in various
places where it is used by machines. Note also most things use specific
keys signed by the master one, not the master key directly (release
package keys, code signing keys etc). The thing that does not work this
way is various places where we promote this finger print for easier
verification (our conference slides, t-shirts, etc). And also the new
key wouldn't have all those signatures that the current one collected.
So, we've decided to keep the current one, until it would be possible to
have it truly decentralized (without a need to put all the pieces in one
machine to sign something).
[1] https://github.com/QubesOS/qubes-issues/issues/2818
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlviFKYACgkQ24/THMrX
1yxJ0gf+MV72oK8OkYHY7hW4ELKPl/b6pYSXWQAyD86zbfiIeJ6OwrFV0JwYRDhl
CfVkdjX+yE0XUdMkwBRo2wYlmGGU73Yc+m+5WkRt2K1AVIK/aRq24jqR1JtaVIqG
52Uy0AT2T/5ZibjAMsOZDchzzB8CMGMPuMiFtXdjyqxFMTMRilzMA5vecLt0FV7o
qJQmkRztPVCLWmcAe1a0/dnv9uixybjt7Hh0266zXlxb+Vu+3vxpyEir+x136zSX
9hqn0GFE4N1dLv2uMk4BYSJPdYlpyzp1wdMf7IAcNOrBDcusKxoNWY3yYbKEOi/t
nU2kxvJBItcX1PLS1J7i11NfoILV2g==
=tMUW
-----END PGP SIGNATURE-----
Hash: SHA256
generating new one, including splitting it in parts[1].
This is slightly different scenario, as the old key wasn't really
compromised and also is available (so can be used to cross-sign new
one). This means we could probably automate replacing it in various
places where it is used by machines. Note also most things use specific
keys signed by the master one, not the master key directly (release
package keys, code signing keys etc). The thing that does not work this
way is various places where we promote this finger print for easier
verification (our conference slides, t-shirts, etc). And also the new
key wouldn't have all those signatures that the current one collected.
So, we've decided to keep the current one, until it would be possible to
have it truly decentralized (without a need to put all the pieces in one
machine to sign something).
[1] https://github.com/QubesOS/qubes-issues/issues/2818
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlviFKYACgkQ24/THMrX
1yxJ0gf+MV72oK8OkYHY7hW4ELKPl/b6pYSXWQAyD86zbfiIeJ6OwrFV0JwYRDhl
CfVkdjX+yE0XUdMkwBRo2wYlmGGU73Yc+m+5WkRt2K1AVIK/aRq24jqR1JtaVIqG
52Uy0AT2T/5ZibjAMsOZDchzzB8CMGMPuMiFtXdjyqxFMTMRilzMA5vecLt0FV7o
qJQmkRztPVCLWmcAe1a0/dnv9uixybjt7Hh0266zXlxb+Vu+3vxpyEir+x136zSX
9hqn0GFE4N1dLv2uMk4BYSJPdYlpyzp1wdMf7IAcNOrBDcusKxoNWY3yYbKEOi/t
nU2kxvJBItcX1PLS1J7i11NfoILV2g==
=tMUW
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages