Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: GnuPG: devel

HKP keyservers over SSL

  

 
GnuPG devel RSS feed   Index | Next | Previous | View Threaded


dshaw at jabberwocky

Mar 12, 2009, 6:10 AM

Post #1 of 22 (1921 views)
Permalink
HKP keyservers over SSL
A few weeks ago, I added support for SSL to the HKP keyserver handler
(gpg(2)keys_hkp) to help test some new keyserver work that is going
on. (Though "Added" is a bit of a strong term - it's really just 4-5
lines of code to tell libcurl to accept SSL.) Anyway, Werner pointed
out that we may want to do something more than that. After all, gpgsm
manipulates X.509 certificates for lunch.

So, let's talk about it a bit: How can we do something smart here,
design-wise? It would be nice to also support client auth, and not
just the standard server validation SSL test.

Plumbing-wise, this may be a bit tricky. libcurl itself isn't really
built to take certificates from anything other than a file. It
supports multiple SSL engines (OpenSSL, NSS, GnuTLS) and the
"certificate from a file" concept is universal. My understanding is
that there is a way to manipulate the SSL connection (including
specifying certificates), but that is OpenSSL specific and wouldn't
work with one of the other backends.

David


_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel


harakiri_23 at yahoo

Mar 12, 2009, 8:25 AM

Post #2 of 22 (1856 views)
Permalink
Re: HKP keyservers over SSL [In reply to]
--- On Thu, 3/12/09, David Shaw <dshaw [at] jabberwocky> wrote:

> From: David Shaw <dshaw [at] jabberwocky>
> Subject: HKP keyservers over SSL
> To: gnupg-devel [at] gnupg
> Date: Thursday, March 12, 2009, 9:10 AM

> So, let's talk about it a bit: How can we do something
> smart here, design-wise? It would be nice to also support
> client auth, and not just the standard server validation SSL
> test.



How about adding LDAP auth to gpg key search before talking about HKP.

http://lists.gnupg.org/pipermail/gnupg-users/2008-May/033370.html





_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel


dshaw at jabberwocky

Mar 12, 2009, 11:31 AM

Post #3 of 22 (1858 views)
Permalink
Re: HKP keyservers over SSL [In reply to]
On Thu, Mar 12, 2009 at 08:25:55AM -0700, Harakiri wrote:
> --- On Thu, 3/12/09, David Shaw <dshaw [at] jabberwocky> wrote:
>
> > So, let's talk about it a bit: How can we do something
> > smart here, design-wise? It would be nice to also support
> > client auth, and not just the standard server validation SSL
> > test.
>
>
>
> How about adding LDAP auth to gpg key search before talking about HKP.
>
> http://lists.gnupg.org/pipermail/gnupg-users/2008-May/033370.html

I'm happy to look at a bug report, but please do not hijack other
threads to report it.

David

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel


dkg at fifthhorseman

Mar 12, 2009, 12:14 PM

Post #4 of 22 (1863 views)
Permalink
Re: HKP keyservers over SSL [In reply to]
> A few weeks ago, I added support for SSL to the HKP keyserver handler
> (gpg(2)keys_hkp) to help test some new keyserver work that is going
> on. (Though "Added" is a bit of a strong term - it's really just 4-5
> lines of code to tell libcurl to accept SSL.) Anyway, Werner pointed
> out that we may want to do something more than that. After all, gpgsm
> manipulates X.509 certificates for lunch.

There is also RFC 5081, which implements the use of OpenPGP certificates
for TLS authentication. If there's a better place for rollout of that
standard than OpenPGP keyserver queries, it doesn't spring immediately
to mind.

> So, let's talk about it a bit: How can we do something smart here,
> design-wise? It would be nice to also support client auth, and not
> just the standard server validation SSL test.

We can support client authentication with additional curl arguments as
well, via CURLOPT_SSLCERT and CURLOPT_SSLKEY. It'd be preferable to
pass something like a named pipe to the latter argument before feeding
it the key, to avoid writing the key to the filesystem.

> Plumbing-wise, this may be a bit tricky. libcurl itself isn't really
> built to take certificates from anything other than a file. It
> supports multiple SSL engines (OpenSSL, NSS, GnuTLS) and the
> "certificate from a file" concept is universal.

I don't see any significant problem with writing certificates to a
temporary file for this purpose, actually (i suppose there is the
potential cleanup hassle in weird corner-case failures). Writing keys
to a file seems more problematic, though.

> My understanding is
> that there is a way to manipulate the SSL connection (including
> specifying certificates), but that is OpenSSL specific and wouldn't
> work with one of the other backends.

We're already specifying certificates via --keyserver-options
ca-cert-file, and that works with the gnutls backend, fwiw.

--dkg
Attachments: signature.asc (0.87 KB)


dshaw at jabberwocky

Mar 12, 2009, 2:08 PM

Post #5 of 22 (1851 views)
Permalink
Re: HKP keyservers over SSL [In reply to]
On Thu, Mar 12, 2009 at 03:14:18PM -0400, Daniel Kahn Gillmor wrote:
> > A few weeks ago, I added support for SSL to the HKP keyserver handler
> > (gpg(2)keys_hkp) to help test some new keyserver work that is going
> > on. (Though "Added" is a bit of a strong term - it's really just 4-5
> > lines of code to tell libcurl to accept SSL.) Anyway, Werner pointed
> > out that we may want to do something more than that. After all, gpgsm
> > manipulates X.509 certificates for lunch.
>
> There is also RFC 5081, which implements the use of OpenPGP certificates
> for TLS authentication. If there's a better place for rollout of that
> standard than OpenPGP keyserver queries, it doesn't spring immediately
> to mind.

Does anyone implement other than GnuTLS support 5081? libcurl can be
built with different crypto libraries.

> > So, let's talk about it a bit: How can we do something smart here,
> > design-wise? It would be nice to also support client auth, and not
> > just the standard server validation SSL test.
>
> We can support client authentication with additional curl arguments as
> well, via CURLOPT_SSLCERT and CURLOPT_SSLKEY. It'd be preferable to
> pass something like a named pipe to the latter argument before feeding
> it the key, to avoid writing the key to the filesystem.

Named pipes for this are a dangerous hack. Remember that that curl
doesn't really process the CURLOPT_SSL* options. Rather, it passes
them wholesale to the underlying crypto library. I don't think we can
guarantee that all of the libraries involved here (openssl, gnutls,
nss) will do the right thing with a named pipe (no seeks allowed!).
Even if they did work today, there is no guarantee it would work
forever. It's just not a stable API we can rely on.

The key passphrase we can pass in memory - it's just the (presumably
encrypted) key itself that has no easy way to transfer. (One way to
look at it is that the key is presumably starting in the filesystem in
the GPG keyring. It does seem a shame to write it out again though.)

> > Plumbing-wise, this may be a bit tricky. libcurl itself isn't really
> > built to take certificates from anything other than a file. It
> > supports multiple SSL engines (OpenSSL, NSS, GnuTLS) and the
> > "certificate from a file" concept is universal.
>
> I don't see any significant problem with writing certificates to a
> temporary file for this purpose, actually (i suppose there is the
> potential cleanup hassle in weird corner-case failures). Writing keys
> to a file seems more problematic, though.

Right.

> > My understanding is
> > that there is a way to manipulate the SSL connection (including
> > specifying certificates), but that is OpenSSL specific and wouldn't
> > work with one of the other backends.
>
> We're already specifying certificates via --keyserver-options
> ca-cert-file, and that works with the gnutls backend, fwiw.

Of course that works. As I said before, passing things by file is
universal. The problem is that there is no reliable API for passing
things *other than* by file. As we've already established, passing
keys via file is a bit ugly. Not a catastrophe, as the key is
presumably encrypted, but certainly ugly and prone to headaches.

David

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel


dkg at fifthhorseman

Mar 12, 2009, 2:33 PM

Post #6 of 22 (1857 views)
Permalink
Re: HKP keyservers over SSL [In reply to]
On 03/12/2009 05:08 PM, David Shaw wrote:
> Does anyone implement other than GnuTLS support 5081? libcurl can be
> built with different crypto libraries.

No, only GnuTLS supports it at the moment, afaict. But GnuPG linked to
Curl linked to GnuTLS isn't a completely uncommon situation either (e.g.
that's the way the debian gnupg2 packages are configured). If gnupg
could support it in this particular case, it'd be nice (though i suspect
that's something we'd ultimately need to talk to the curl developers about).

> Named pipes for this are a dangerous hack. Remember that that curl
> doesn't really process the CURLOPT_SSL* options. Rather, it passes
> them wholesale to the underlying crypto library. I don't think we can
> guarantee that all of the libraries involved here (openssl, gnutls,
> nss) will do the right thing with a named pipe (no seeks allowed!).
> Even if they did work today, there is no guarantee it would work
> forever. It's just not a stable API we can rely on.

Hrm, yeah, that's probably true.

> Of course that works. As I said before, passing things by file is
> universal.

Actually, looking at curl_easy_setopt(3), it appears that CURLOPT_CAINFO
*doesn't* refer to a file when linked to NSS:

> When built against NSS this is the directory that the NSS cer‐
> tificate database resides in.

So even passing as a file isn't universal :( (i've never actually used
curl linked against NSS, fwiw)

It seems to me like client certificate support is something gnupg should
have eventually, but i'm not certain that the feature should hold up
anonymous TLS-wrapped HKP access. If gnupg were to support it, it would
be an additional argument --keyserver-option, right?

Another way around all of this is would be to not use curl at all, and
implement the TLS layer directly in what's now the curl shim. This
would also let us follow the HTTP upgrade approach over the same port,
but would mean more code to maintain (and probably wouldn't handle as
many edge cases as nicely as curl does for us automatically). It would
also probably bind GnuPG to a single TLS library, since i doubt anyone
wants to maintain multiple variants of the shim itself.

--dkg
Attachments: signature.asc (0.87 KB)


dshaw at jabberwocky

Mar 12, 2009, 3:20 PM

Post #7 of 22 (1858 views)
Permalink
Re: HKP keyservers over SSL [In reply to]
On Thu, Mar 12, 2009 at 05:33:35PM -0400, Daniel Kahn Gillmor wrote:

> It seems to me like client certificate support is something gnupg should
> have eventually, but i'm not certain that the feature should hold up
> anonymous TLS-wrapped HKP access.

Oh, I agree. I just don't want to do anything now that will preclude
doing the other stuff later, if we choose to. It's worth a bit of
discussion to keep our options open for later.

> If gnupg were to support it, it would
> be an additional argument --keyserver-option, right?

Probably, yes.

> Another way around all of this is would be to not use curl at all, and
> implement the TLS layer directly in what's now the curl shim. This
> would also let us follow the HTTP upgrade approach over the same port,
> but would mean more code to maintain (and probably wouldn't handle as
> many edge cases as nicely as curl does for us automatically). It would
> also probably bind GnuPG to a single TLS library, since i doubt anyone
> wants to maintain multiple variants of the shim itself.

I thought about this, but it's a path I'm reluctant to go down for all
the reasons you mention. Curl takes care of a huge amount of
annoyance for us. If we needed some special TLS code in Curl, instead
of doing something GPG-specific, it would be cleaner all around to
implement the code in a general fashion and just give it to the Curl
folks.

Tell me a bit about how you rigged up the SSLized sks server (it's a
wrapper, no?) Let's say for the sake of argument that curl supported
TLS upgrade (it doesn't - but let say it did). How difficult would it
be to you to support it in sks?

David

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel


wk at gnupg

Mar 13, 2009, 1:22 PM

Post #8 of 22 (1862 views)
Permalink
Re: HKP keyservers over SSL [In reply to]
On Thu, 12 Mar 2009 23:20, dshaw [at] jabberwocky said:

> annoyance for us. If we needed some special TLS code in Curl, instead
> of doing something GPG-specific, it would be cleaner all around to
> implement the code in a general fashion and just give it to the Curl

Given that we "control" the then-to-be server code, we won't have any
problems with ugly servers which was one of the reasons to use Curl.
Actually the original GnuPG http code has support for GnuTLS and thus it
will be easy implement TLS directly. The code might not be in GnuPG
proper, but I use copies of it in other projects.

One problem I have with Curl is that it is not GNU code and we would
like to have all main features of GNU software implemented by GNU code.
(Well, I know that David does not share this opinion.)

Anyway, we should first define the goals and then see how to accomplish
that.

What we want is to make it harder to see what keys are fetched from the
keyserver: Obviously that should be done with TLS and we need to
authenticate the server to avoid MITM attacks. For the latter we have
several options:

1. Use a full fledged X.509 based TLS authentication in the standard
way, i.e. requiring the server to use a well known root
certificate. This can be done using any GPLv3 compatible TLS code.

2. Same as one but use an OpenPGP certificate. This requires GnuTLS.

3. Use a list of server certificate fingerprints and compare against
them. For example in the DNS which is secure enough for our threat
model. Recall that the servers can still track key requests.

4. Extend X.509 to allow optional authentication using an OpenPGP
certificate. This general mechanism can also be used for all kind
of projects. It would allow to get better server authentication
while still keeping standard HTTPS semantics. There are several
ways on how to implement it; for example by creating an OpenPGP
certificate with a user ID made up of the keygrip of the regular
X.509 certificate.

5. Forget about this all and implement it properly using an anonymizer
service. That service needs to batch up queries and insert dummy
queries. Should not be to hard to get this implemented in TOR.

6. Replace the keyserver stuff using a GNUNet service. That would
soon lead to the question why not to replace encrypted email as we
are used to entirely by a p2p system. So, better forget about this
for now.

The more I think about it, option 5 (enhanced TOR) looks more and more
promising. The basic question is why to come up with a limited
anti-surveillance mechanism if we could get a strong one as well. I am
pretty sure that a few years after the major keyservers will speak TLS,
real anonymity will be requested and then we can start from scratch.

Regarding authenticated writes to the keyservers (user certificates): I
don't think that this will ever take off. It would be the first step to
a managed PKI and we all know that PKIs don't work. I see no benefits
for that.


Salam-Shalom,

Werner

--
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.


_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel


dshaw at jabberwocky

Mar 23, 2009, 10:56 AM

Post #9 of 22 (1825 views)
Permalink
Re: HKP keyservers over SSL [In reply to]
On Fri, Mar 13, 2009 at 09:22:16PM +0100, Werner Koch wrote:

> What we want is to make it harder to see what keys are fetched from the
> keyserver: Obviously that should be done with TLS and we need to
> authenticate the server to avoid MITM attacks. For the latter we have
> several options:
>
> 1. Use a full fledged X.509 based TLS authentication in the standard
> way, i.e. requiring the server to use a well known root
> certificate. This can be done using any GPLv3 compatible TLS code.
>
> 2. Same as one but use an OpenPGP certificate. This requires GnuTLS.
>
> 3. Use a list of server certificate fingerprints and compare against
> them. For example in the DNS which is secure enough for our threat
> model. Recall that the servers can still track key requests.
>
> 4. Extend X.509 to allow optional authentication using an OpenPGP
> certificate. This general mechanism can also be used for all kind
> of projects. It would allow to get better server authentication
> while still keeping standard HTTPS semantics. There are several
> ways on how to implement it; for example by creating an OpenPGP
> certificate with a user ID made up of the keygrip of the regular
> X.509 certificate.
>
> 5. Forget about this all and implement it properly using an anonymizer
> service. That service needs to batch up queries and insert dummy
> queries. Should not be to hard to get this implemented in TOR.
>
> 6. Replace the keyserver stuff using a GNUNet service. That would
> soon lead to the question why not to replace encrypted email as we
> are used to entirely by a p2p system. So, better forget about this
> for now.
>
> The more I think about it, option 5 (enhanced TOR) looks more and more
> promising. The basic question is why to come up with a limited
> anti-surveillance mechanism if we could get a strong one as well. I am
> pretty sure that a few years after the major keyservers will speak TLS,
> real anonymity will be requested and then we can start from scratch.

Personally, I like both options 1 and 5. I like the TOR idea (5) a
lot. It's a clever way to work around some of the limitations of a
public keyserver network. In the immediate sense, however, I see no
reason to not support some of the other options as well. A
TLS-wrapped hkp (1) does not affect a TOR implementation (and can, in
fact, be used with a TOR implementation), and gives protection against
casual snooping by a third party of which keys are being requested.
So doing (1) does not block us from doing (5) either soon or in the
future, plus even in the absence of TOR, (1) means more encryption on
the wire, which is generally good for network hygiene.

> Regarding authenticated writes to the keyservers (user certificates): I
> don't think that this will ever take off. It would be the first step to
> a managed PKI and we all know that PKIs don't work. I see no benefits
> for that.

I can see a use case for user certs to create private keyservers, but
that's a fairly limited use case.

I wonder if client certs might be more useful for server to server
communications, rather than the client to server communications. The
catch, of course, is that given how the keyserver gossip protocol
works, a given keyserver pool must be willing to exclude everyone who
does not similarly use client certs.

David

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel


dkg at fifthhorseman

Mar 24, 2009, 5:17 PM

Post #10 of 22 (1818 views)
Permalink
Re: HKP keyservers over SSL [In reply to]
Sorry, i somehow missed this message when it first came in :(

On 03/13/2009 04:22 PM, Werner Koch wrote:
> Actually the original GnuPG http code has support for GnuTLS and thus it
> will be easy implement TLS directly. The code might not be in GnuPG
> proper, but I use copies of it in other projects.
>
> One problem I have with Curl is that it is not GNU code and we would
> like to have all main features of GNU software implemented by GNU code.
> (Well, I know that David does not share this opinion.)

I'd be interested in seeing this happen. I think that making sure
critical infrastrcture works with all-GNU tools is a worthwhile ambition.

> 1. Use a full fledged X.509 based TLS authentication in the standard
> way, i.e. requiring the server to use a well known root
> certificate. This can be done using any GPLv3 compatible TLS code.
>
> 2. Same as one but use an OpenPGP certificate. This requires GnuTLS.

Or any other TLS suite that opts to implement RFC 5081. If the goal is
all-GNU then using GnuTLS for (1) makes sense anyway, and it's a short
jump from there to (2), assuming we can get some server-side support in
place on popular keyservers.

> 3. Use a list of server certificate fingerprints and compare against
> them. For example in the DNS which is secure enough for our threat
> model. Recall that the servers can still track key requests.

I don't think i understand this option. Why is the DNS sufficiently
secure here?

> 4. Extend X.509 to allow optional authente ication using an OpenPGP
> certificate. This general mechanism can also be used for all kind
> of projects. It would allow to get better server authentication
> while still keeping standard HTTPS semantics. There are several
> ways on how to implement it; for example by creating an OpenPGP
> certificate with a user ID made up of the keygrip of the regular
> X.509 certificate.

I'm very intrigued by this idea, though i think it has larger
implications outside of HKP. My current thought along these lines was
to use the same underlying key, but to provide an OpenPGP certificate
matching the CN of the X.509 certificate. So a failed X.509 validation
(e.g. from a trivially-created self-signed X.509 cert) would trigger a
lookup within the user's local keyring based on the same name (assuming
the CN matches the remote host of course).

If gpg showed full calculated validity for that OpenPGP certificate, and
the public key material matches the key material from the self-signed
X.509 cert, then the connection would be considered to be properly
authenticated.

It seems to me that the new semantics this approach introduces for the
User ID are more closely aligned to the common User ID semantics than an
X.509 keygrip would be. But i could be missing other drawbacks, too. I
welcome feedback on this idea.

> 5. Forget about this all and implement it properly using an anonymizer
> service. That service needs to batch up queries and insert dummy
> queries. Should not be to hard to get this implemented in TOR.

I've described in other e-mails why i think tor is a good idea, but an
orthogonal one to the use of TLS. I don't think the two approaches
address the same problem space.

> 6. Replace the keyserver stuff using a GNUNet service. That would
> soon lead to the question why not to replace encrypted email as we
> are used to entirely by a p2p system. So, better forget about this
> for now.

;) I think a GNUNet service that focuses on distributing key material
would be a great thing to have, but i don't see it replacing HKP any
time soon, with all the HKP clients that exist.

> The more I think about it, option 5 (enhanced TOR) looks more and more
> promising. The basic question is why to come up with a limited
> anti-surveillance mechanism if we could get a strong one as well. I am
> pretty sure that a few years after the major keyservers will speak TLS,
> real anonymity will be requested and then we can start from scratch.

In a future where the keyservers all speak TLS, and gpg supports TLS
queries, users can opt to use tor or not without needing to change gpg,
no? Can't gpg users already use tor for keyserver lookups in fact? (i
haven't tried it myself).

> Regarding authenticated writes to the keyservers (user certificates): I
> don't think that this will ever take off. It would be the first step to
> a managed PKI and we all know that PKIs don't work. I see no benefits
> for that.

I agree that authenticated (via TLS) writes seem fundamentally
meaningless. As long as the keyservers check that an uploaded OpenPGP
certificate is cryptographically valid, it's not clear that there's any
reason to require an additional layer of per-transaction client
authentication in order to accept a write.

--dkg
Attachments: signature.asc (0.87 KB)


freebsd-listen at fabiankeil

Mar 28, 2009, 10:11 AM

Post #11 of 22 (1783 views)
Permalink
Re: HKP keyservers over SSL [In reply to]
David Shaw <dshaw [at] jabberwocky> wrote:

> On Fri, Mar 13, 2009 at 09:22:16PM +0100, Werner Koch wrote:
>
> > What we want is to make it harder to see what keys are fetched from the
> > keyserver: Obviously that should be done with TLS and we need to
> > authenticate the server to avoid MITM attacks. For the latter we have
> > several options:

> > 5. Forget about this all and implement it properly using an anonymizer
> > service. That service needs to batch up queries and insert dummy
> > queries. Should not be to hard to get this implemented in TOR.

> > The more I think about it, option 5 (enhanced TOR) looks more and more
> > promising. The basic question is why to come up with a limited
> > anti-surveillance mechanism if we could get a strong one as well. I am
> > pretty sure that a few years after the major keyservers will speak TLS,
> > real anonymity will be requested and then we can start from scratch.
>
> Personally, I like both options 1 and 5. I like the TOR idea (5) a
> lot. It's a clever way to work around some of the limitations of a
> public keyserver network. In the immediate sense, however, I see no
> reason to not support some of the other options as well. A
> TLS-wrapped hkp (1) does not affect a TOR implementation (and can, in
> fact, be used with a TOR implementation), and gives protection against
> casual snooping by a third party of which keys are being requested.

If the keyserver is properly setup as a location hidden
service, no third party should be able to snoop:
http://www.torproject.org/hidden-services.html.en

In related news, it would be great if more keyservers
were (additionally) reachable as location hidden services.

Fabian
Attachments: signature.asc (0.19 KB)


gnupg-devel at spodhuis

Mar 31, 2009, 2:53 PM

Post #12 of 22 (1762 views)
Permalink
Re: HKP keyservers over SSL [In reply to]
On 2009-03-12 at 09:10 -0400, David Shaw wrote:
> A few weeks ago, I added support for SSL to the HKP keyserver handler
> (gpg(2)keys_hkp) to help test some new keyserver work that is going
> on. (Though "Added" is a bit of a strong term - it's really just 4-5
> lines of code to tell libcurl to accept SSL.) Anyway, Werner pointed
> out that we may want to do something more than that. After all, gpgsm
> manipulates X.509 certificates for lunch.
>
> So, let's talk about it a bit: How can we do something smart here,
> design-wise? It would be nice to also support client auth, and not
> just the standard server validation SSL test.

David, some questions/suggestions if I may?

I see from the URL which you posted to sks-devel:
http://cvs.gnupg.org/cgi-bin/viewcvs.cgi/branches/STABLE-BRANCH-1-4/keyserver/gpgkeys_hkp.c?root=GnuPG&rev=4924&r1=4878&r2=4924
that you're using:
curl_easy_setopt(curl,CURLOPT_SSL_VERIFYPEER,(long)opt->flags.check_cert);

How is this expected to interact with keyserver pools? Should every
server know every pool which $random_people construct and include it in
subjectAltName? How about certificate validation for that case?

I strongly suspect that the only workable way forward here, for those
who want to have verifiable certificates, is to have the client support
Server Name Indication, SNI, per RFC 4366. The client presents the
hostname it's talking to and the server has a collection of
certificates, one for each pool it is part of, and serves up
accordingly, with some cert being default. Each pool maintainer issues
the certs to the keyserver operator and clients maintain a collection of
auxilliary trusted CA certs. Eg, ~/.gnupg/ssl-ca/<certs>. A reasonable
policy might be to require a nameConstraints extension in those CA
certs, tying each to the pool itself.

Eg, a gnupg.net CA might have:
nameConstraints=permitted;DNS:*.keys.gnupg.net,keys.gnupg.net
(if I understand the syntax correctly) and issue a cert to me for my
keyserver as CN=pdp.keys.gnupg.net with
subjectAltName=DNS:pdp.keys.gnupg.net,keys.gnupg.net,ipv6.keys.gnupg.net

The gpg client would be able to use the copy of that CA cert to validate
the served cert when round-robin for keys.gnupg.net took them to my
server. This would in no way interfere with the presence of my keyserver
in pool.sks-keyservers.net or any other pools, or the ability to reach
it directly by its own name.

The alternative is a long list of subjectAltName DNS fields which no
sane CA is going to sign and which get uncontrollable quickly as pools
come and go and no pool being able to do much to speak for the
verifiability of certificates of their members.

If instead we can establish that from day 1, hkps clients *will* use SNI
then we can then just leave it to the PGP keyservers to develop nice
admin interfaces for managing the collections of certs which a given
keyserver will use.

(For any nit-pickers out there: no, my keyserver is not currently in
keys.gnupg.net, I merely use that as an example)

Does this seem sensible?
-Phil


dkg at fifthhorseman

Apr 1, 2009, 8:27 AM

Post #13 of 22 (1768 views)
Permalink
Re: HKP keyservers over SSL [In reply to]
On 03/31/2009 05:53 PM, Phil Pennock wrote:
> I see from the URL which you posted to sks-devel:
> http://cvs.gnupg.org/cgi-bin/viewcvs.cgi/branches/STABLE-BRANCH-1-4/keyserver/gpgkeys_hkp.c?root=GnuPG&rev=4924&r1=4878&r2=4924
> that you're using:
> curl_easy_setopt(curl,CURLOPT_SSL_VERIFYPEER,(long)opt->flags.check_cert);
>
> How is this expected to interact with keyserver pools? Should every
> server know every pool which $random_people construct and include it in
> subjectAltName? How about certificate validation for that case?

I think the simple answer for this question is:

* if you're connecting to a pool run by diverse groups, do not use
HKP-over-TLS.

Put another way:

* HKP-over-TLS only really makes sense when connecting to a known,
identifiable keyserver.

In a way, this makes sense: if you're using a secure connection to a
trusted keyserver, you by definition do not want to use a pool, because
you don't know who will be in that pool.

If you really do want to use HKP-over-TLS against a pool, your
suggestion of SNI is one option:

> I strongly suspect that the only workable way forward here, for those
> who want to have verifiable certificates, is to have the client support
> Server Name Indication, SNI, per RFC 4366.

But it's not the only option. The other option would be to use OpenPGP
certificates for authentication (RFC 5081), which allow multiple User
IDs (which in this case means multiple hostnames) in a certificate.
They also allow multiple issuers per hostname certification. So, for
example, the host maintainer can add a User ID matching the actual name,
and also a User ID matching the name of any pool in which it participates.

The maintainer of any particular pool could also certify the
pool-specific User IDs for the hosts which she knows to be participating.

If we're talking about doing more work to support a TLS extension, I'd
rather see RFC 5081 be adopted (using reasonable certificates) than 4366
(ways to use multiple unreasonable certificates).

However, i think that the arguments for using HKPS tend to suggest that
a user would want to use a single known keyserver (or at least a pool
maintained by the same administrator who can give them all the same host
keys or get them all independently certified).

--dkg
Attachments: signature.asc (0.87 KB)


gnupg-devel at spodhuis

Apr 1, 2009, 3:04 PM

Post #14 of 22 (1760 views)
Permalink
Re: HKP keyservers over SSL [In reply to]
On 2009-04-01 at 11:27 -0400, Daniel Kahn Gillmor wrote:
> Put another way:
>
> * HKP-over-TLS only really makes sense when connecting to a known,
> identifiable keyserver.

My understanding is that part of the rationale for HKP-over-TLS is
simply to defeat traffic snooping and to talk to a set of keyservers
somewhat trusted to respect privacy and that total privacy is not a
major driver.

I can well see people wanting to talk to keys.gnupg.net and just to have
some reasonable confidence that the communications are private, ie that
they're talking to the keys.gnupg.net pool so no MitM to sniff. So a
private CA supported by the client works here. The pool maintainer can
add certs. The only issue is revocation, which is an issue what exists
whether the server certification is done via host PGP identities or via
x509 certs -- ie, the same issues exist for both and the client
verification logic needs to exist for both, so the complexity is
equivalent.

> If we're talking about doing more work to support a TLS extension, I'd
> rather see RFC 5081 be adopted (using reasonable certificates) than 4366
> (ways to use multiple unreasonable certificates).

First, note that curl natively and automatically supports SNI if the SSL
library supports it, AFAICT. NSS might be an exception. GnuTLS support
is used, and if OpenSSL is recent enough and built with support for SNI
then curl will automatically use it. Yesterday I wrote patches for some
common tools to support using SNI as a client -- it's extremely simple:
check the hostname isn't an IP address, then issue one call against the
handle to add some metadata that will be used later on.

So the SNI support requirement for GnuPG is to make sure that non-Curl
shims support this (trivial) and to document that hkps verification to
pools is dependent upon the backend -- GnuTLS always works, OpenSSL
depends upon the install (version and build options) -- again trivial.

Second, where does this "unreasonable" spring from? If the CA is the
pool operator, so any pool operator is their own CA with no costs to
enter the "market" beside perhaps getting the tool vendors (GnuPG) to
include their CA cert when shipping then there's no artificial barriers
to participation, no artificial revenue streams and things work simply
using existing, tested, tools and libraries.

> However, i think that the arguments for using HKPS tend to suggest that
> a user would want to use a single known keyserver (or at least a pool
> maintained by the same administrator who can give them all the same host
> keys or get them all independently certified).

Perhaps some will. And they'll pay for access to a pool of resilient
servers because it's worthwhile to them. Heck, client SSL verification
comes in.

As I understand matters, as a keyserver operator, it's rare for any
organisation to run more than one or two keyservers. Most pools are
just collections of keyservers run by someone else. HKPS lets you talk
to those pools without your local network traffic showing, in the clear,
who you want to talk to.

I use a laptop. I use wifi. For work access, I have a VPN. For
private stuff, I have SSH, SMTP-Submission-STARTTLS, IMAP/SSL and
IMAP/STARTTLS, HTTPS to private websites, etc. If I compose email and
retrieve keys for the mail, at the moment the key retrieval is the only
part which leaks, over the coffee-shop wifi, anything to do with who I'm
communicating with. The IMAP and SMTP all go to fixed servers.

I want to be able to have that be private too, whether it's at a
cafe/diner or at a conference filled with people giving demonstrations
of wifi traffic interception.

So a design which supports remote endpoint verification to have privacy
with MitM protection and which lets the pool maintainers be different
from the keyserver operators is a win; if the design can offer more than
that, great, but if it can't offer that much, it loses. With SNI, each
keyserver can be part of various pools for various constituencies
affiliated with the keyserver operator without any one acting to inhibit
membership in another pool (at a technical level; conflicting
hypothetical maintenance certification standards could reintroduce
that but then the keyserver operator can choose, in a *free* market,
which pools matter most to them and if they, eg, want to just run two
keyservers).

-Phil


dkg at fifthhorseman

Apr 1, 2009, 3:42 PM

Post #15 of 22 (1756 views)
Permalink
Re: HKP keyservers over SSL [In reply to]
On 04/01/2009 06:04 PM, Phil Pennock wrote:
> I can well see people wanting to talk to keys.gnupg.net and just to have
> some reasonable confidence that the communications are private, ie that
> they're talking to the keys.gnupg.net pool so no MitM to sniff. So a
> private CA supported by the client works here. The pool maintainer can
> add certs.

Yes, i understand (and think GnuPG should support) this use case.

> So the SNI support requirement for GnuPG is to make sure that non-Curl
> shims support this (trivial) and to document that hkps verification to
> pools is dependent upon the backend -- GnuTLS always works, OpenSSL
> depends upon the install (version and build options) -- again trivial.

I didn't know SNI implementation was this close. I agree, it sounds
like a win, and a worthwhile thing to do.

> Second, where does this "unreasonable" spring from?

Sorry, i have serious concerns over the X.509 specification and the way
that it's generally deployed [0]. But the setup you describe (with the
keyserver pool operator acting as the CA directly) is not an
unreasonable use of X.509. I shouldn't have let my general X.509
grumpiness cloud my reasoning ;)

> As I understand matters, as a keyserver operator, it's rare for any
> organisation to run more than one or two keyservers.

Right, i was thinking of two keyservers in a private pool, acting as a
redundant arrangement, much like common configurations of krb5kdc,
slapd, etc.

> If I compose email and
> retrieve keys for the mail, at the moment the key retrieval is the only
> part which leaks, over the coffee-shop wifi, anything to do with who I'm
> communicating with.

Yup. I wasn't trying to argue against SNI, just saying that if it was
significant work to be done, it seemed to me like RFC 5081 support would
be more worthwhile. I don't think they're in direct conflict other than
time of implementation, and it sounds like SNI would be simpler to do.

Thanks for the clarification,

--dkg

[0] http://lair.fifthhorseman.net/~dkg/tls-centralization
Attachments: signature.asc (0.87 KB)


gnupg-devel at spodhuis

Apr 1, 2009, 4:56 PM

Post #16 of 22 (1757 views)
Permalink
Re: HKP keyservers over SSL [In reply to]
On 2009-04-01 at 18:42 -0400, Daniel Kahn Gillmor wrote:
> Sorry, i have serious concerns over the X.509 specification and the way
> that it's generally deployed [0]. But the setup you describe (with the
> keyserver pool operator acting as the CA directly) is not an
> unreasonable use of X.509. I shouldn't have let my general X.509
> grumpiness cloud my reasoning ;)

I have serious concerns there too and am normally the one who is grumpy
on the topic of the so-called PKI, so no worries.

-Phil, who installs CA certs after receiving them PGP-signed


dshaw at jabberwocky

Apr 1, 2009, 7:42 PM

Post #17 of 22 (1749 views)
Permalink
Re: HKP keyservers over SSL [In reply to]
On Mar 31, 2009, at 5:53 PM, Phil Pennock wrote:

> On 2009-03-12 at 09:10 -0400, David Shaw wrote:
>> A few weeks ago, I added support for SSL to the HKP keyserver handler
>> (gpg(2)keys_hkp) to help test some new keyserver work that is going
>> on. (Though "Added" is a bit of a strong term - it's really just 4-5
>> lines of code to tell libcurl to accept SSL.) Anyway, Werner pointed
>> out that we may want to do something more than that. After all,
>> gpgsm
>> manipulates X.509 certificates for lunch.
>>
>> So, let's talk about it a bit: How can we do something smart here,
>> design-wise? It would be nice to also support client auth, and not
>> just the standard server validation SSL test.
>
> David, some questions/suggestions if I may?
>
> I see from the URL which you posted to sks-devel:
> http://cvs.gnupg.org/cgi-bin/viewcvs.cgi/branches/STABLE-BRANCH-1-4/keyserver/gpgkeys_hkp.c?root=GnuPG&rev=4924&r1=4878&r2=4924
> that you're using:
> curl_easy_setopt(curl,CURLOPT_SSL_VERIFYPEER,(long)opt-
> >flags.check_cert);
>
> How is this expected to interact with keyserver pools? Should every
> server know every pool which $random_people construct and include it
> in
> subjectAltName? How about certificate validation for that case?

It's an interesting question. To a certain degree, this isn't GnuPG's
problem. If the server presents a certificate where neither the
common name or the subject alternate name match the name used to
connect, the connection should (and will) fail. Curl handles all that
for us automatically.

Managing those certificates is, as you point out, fairly ugly from the
server operator's point of view...

> If instead we can establish that from day 1, hkps clients *will* use
> SNI
> then we can then just leave it to the PGP keyservers to develop nice
> admin interfaces for managing the collections of certs which a given
> keyserver will use.

I'm not against this, but there are a few practical caveats. Libcurl
added SNI support around a year ago in 7.18.1 (assuming of course
that the backend crypto library supports it). A year isn't very long
at all, so there are loads of libcurl installations that don't yet
have the proper version of libcurl (and/or openssl, etc). On those
systems, we (meaning libcurl, really) can only do common name and
subject alternate name checks. The three systems I just checked had
libcurl 7.16.3 (no SNI), 7.19.4 (SNI), and 7.15.5 (no SNI). That does
not bode well for quick adoption.

By all means, have the servers provide the right info though. The
clients will eventually catch up. This doesn't require any code
change to GPG - if libcurl supports SNI, then GPG does too. If GPG
doesn't support SNI, and the server presents the wrong certificate,
the request will fail. No real harm, since that is what would have
happened anyway if the server didn't support SNI.

Having said all that, I'm not sure if all this peer validation isn't a
bit of overkill. My main desire for hkps is that the data on the wire
is encrypted to avoid casual snooping, and you don't need any peer
validation for that.

Anyway, I might feel differently if it required a major code
commitment in GPG, but as things stand now, if the keyserver operators
want to band together and make sure their servers have a particular
cert setup and make the proper cainfo data available for clients who
want to use it, why not?

David


_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel


gnupg-devel at spodhuis

Apr 1, 2009, 9:15 PM

Post #18 of 22 (1752 views)
Permalink
Re: HKP keyservers over SSL [In reply to]
On 2009-04-01 at 22:42 -0400, David Shaw wrote:
> I'm not against this, but there are a few practical caveats. Libcurl
> added SNI support around a year ago in 7.18.1 (assuming of course
> that the backend crypto library supports it). A year isn't very long
> at all, so there are loads of libcurl installations that don't yet
> have the proper version of libcurl (and/or openssl, etc). On those
> systems, we (meaning libcurl, really) can only do common name and
> subject alternate name checks. The three systems I just checked had
> libcurl 7.16.3 (no SNI), 7.19.4 (SNI), and 7.15.5 (no SNI). That does
> not bode well for quick adoption.

hkps support is not out there now. If hkps support means, in practice,
SNI support, then operators can rely upon this. If it doesn't, we're
just perpetuating the continued poor state of affairs.

How about some notes on this in the README's "BUILD INSTRUCTIONS"
stating pretty much what you just said and strongly recommending this?
Ideally with ./configure CAPS WARNINGS if hkps support is requested but
this support is not present?

(I'm not requesting work of others and doing nothing myself; I worked on
better SNI support in a variety of tools yesterday and am planning on
extending the Perl/Python patches today/tomorrow to include server-side
support).

> Having said all that, I'm not sure if all this peer validation isn't a
> bit of overkill. My main desire for hkps is that the data on the wire
> is encrypted to avoid casual snooping, and you don't need any peer
> validation for that.

When some hotel or wifi AP has played funny buggers with DNS because
they don't understand that Internet != Web, it's useful to have tools
gracefully report the problem. I like it when tools are able to report
that the problems are because it couldn't actually get an unmolested
connection to the server, rather than something else being wrong. So if
verification is a simple enough hack, I'm all for it.

> Anyway, I might feel differently if it required a major code
> commitment in GPG, but as things stand now, if the keyserver operators
> want to band together and make sure their servers have a particular
> cert setup and make the proper cainfo data available for clients who
> want to use it, why not?

Okay, once SKS 1.1.1 is out with IPv6 support, my next patching effort
there is likely to involve TLS.

Thanks,
-Phil


dshaw at jabberwocky

Apr 2, 2009, 4:45 AM

Post #19 of 22 (1752 views)
Permalink
Re: HKP keyservers over SSL [In reply to]
On Apr 2, 2009, at 12:15 AM, Phil Pennock wrote:

> On 2009-04-01 at 22:42 -0400, David Shaw wrote:
>> I'm not against this, but there are a few practical caveats. Libcurl
>> added SNI support around a year ago in 7.18.1 (assuming of course
>> that the backend crypto library supports it). A year isn't very long
>> at all, so there are loads of libcurl installations that don't yet
>> have the proper version of libcurl (and/or openssl, etc). On those
>> systems, we (meaning libcurl, really) can only do common name and
>> subject alternate name checks. The three systems I just checked had
>> libcurl 7.16.3 (no SNI), 7.19.4 (SNI), and 7.15.5 (no SNI). That
>> does
>> not bode well for quick adoption.
>
> hkps support is not out there now. If hkps support means, in
> practice,
> SNI support, then operators can rely upon this. If it doesn't, we're
> just perpetuating the continued poor state of affairs.

I quite agree. It's just that SNI support in libcurl and friends does
not yet exist in sufficient percentage of the "market". We can't make
the hkps==SNI guarantee. We can strongly suggest it, and we will
eventually get there once the newer libraries percolate through the
world, but it's not a guarantee we can make today.

> How about some notes on this in the README's "BUILD INSTRUCTIONS"
> stating pretty much what you just said and strongly recommending this?
> Ideally with ./configure CAPS WARNINGS if hkps support is requested
> but
> this support is not present?

I'm okay with this, except there isn't a good way to tell this at
compile (or even run) time. SNI in curl is hidden fairly deep under
the covers. Even if I do the inadvisable thing and warn for any
version of curl older than 7.18.1, that doesn't really give a reliable
answer, as curl might be linked against a SSL library that doesn't
support it.

>> Having said all that, I'm not sure if all this peer validation
>> isn't a
>> bit of overkill. My main desire for hkps is that the data on the
>> wire
>> is encrypted to avoid casual snooping, and you don't need any peer
>> validation for that.
>
> When some hotel or wifi AP has played funny buggers with DNS because
> they don't understand that Internet != Web, it's useful to have tools
> gracefully report the problem. I like it when tools are able to
> report
> that the problems are because it couldn't actually get an unmolested
> connection to the server, rather than something else being wrong.
> So if
> verification is a simple enough hack, I'm all for it.

Oh, don't get me wrong: verification exists in the code today. It's
even on by default (another example of a least-unhappy choice). I'm
just pointing out that it's not my main desire. If it meets someone
else's desire, that's great, though. I'm not writing this for me
personally. :)

David

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel


wk at gnupg

Apr 3, 2009, 6:09 AM

Post #20 of 22 (1730 views)
Permalink
Re: HKP keyservers over SSL [In reply to]
On Wed, 25 Mar 2009 01:17, dkg [at] fifthhorseman said:

>> 3. Use a list of server certificate fingerprints and compare against
>> them. For example in the DNS which is secure enough for our threat
>> model. Recall that the servers can still track key requests.
>
> I don't think i understand this option. Why is the DNS sufficiently
> secure here?

The idea is that we maintain a list of server certificate hashes and at
connection time we compare against that list and thus there is no need
to discuss about the so-called benefits of a root certificate.

My threat model is a casual snooping attack and thus I consider DNS
secure enough; of course it depends on what you call casual attack.

That list could also be maintained on a website or signed by a few
trustworthy keys. However that would immediately introduce a PKI again.

> ;) I think a GNUNet service that focuses on distributing key material
> would be a great thing to have, but i don't see it replacing HKP any
> time soon, with all the HKP clients that exist.

Me too. We have to live with HKP. Look only on how hard it is to
convince people nut to use the old broken pgp keyservers. We are trying
for years to abolish the sue of them but without much success.

> queries, users can opt to use tor or not without needing to change gpg,
> no? Can't gpg users already use tor for keyserver lookups in fact? (i
> haven't tried it myself).

Sure, you can.


Salam-Shalom,

Werner

--
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.


_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel


wk at gnupg

Apr 3, 2009, 6:19 AM

Post #21 of 22 (1729 views)
Permalink
Re: HKP keyservers over SSL [In reply to]
On Wed, 1 Apr 2009 17:27, dkg [at] fifthhorseman said:

> However, i think that the arguments for using HKPS tend to suggest that
> a user would want to use a single known keyserver (or at least a pool
> maintained by the same administrator who can give them all the same host
> keys or get them all independently certified).

I agree here. Thus we do not need to care about pooled keyservers
becuase you won't be abale to trust them. The trust you have in a
certain keyserver was the original reason you asked for TLS support.


Shalom-Salam,

Werner

--
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.


_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel


gnupg-devel at spodhuis

Apr 3, 2009, 4:54 PM

Post #22 of 22 (1736 views)
Permalink
Re: HKP keyservers over SSL [In reply to]
On 2009-04-03 at 15:09 +0200, Werner Koch wrote:
> Me too. We have to live with HKP. Look only on how hard it is to
> convince people nut to use the old broken pgp keyservers. We are trying
> for years to abolish the sue of them but without much success.

Meh. Most people I deal with don't even know of the problems with
things like pgp.mit.edu. What has actually been tried?

Suggestion for gpg:

WARNING: you are using keyserver "pgp.mit.edu" which is broken
WARNING: reason: does not accept subkey updates
WARNING: result: keys appear invalid because correct updates not received

Default list of keyservers to whine about, gpg.conf option to hush up
the warning for a particular keyserver -- the goal being to persuade,
not coerce. And besides, pgp.mit.edu might someday be updated and stop
being a blight and this would let people use it.

-Phil

GnuPG devel RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.