Post AP8WhYSOgpvsWbQ41o by inference@plr.inferencium.net
(DIR) More posts by inference@plr.inferencium.net
(DIR) Post #AP8LN4YV3Rn0V1IwjI by freemo@qoto.org
2022-10-31T17:42:24Z
0 likes, 3 repeats
So I am currently restructuring my companies security policy and trying to get Open PGP as a central point in all this.Any input on how others have structured their trust network inn a corperate setting.. How do you verify which keys are employees and what roles (such as deploying software) people have?I have my own idea as to how im going to structure this but I'd love to hear other peoples thoughts first#security #OpenPGP #PGP #GPG #GnuPG
(DIR) Post #AP8Ov2DSYgQ6x6LiMb by freemo@qoto.org
2022-10-31T18:22:09Z
0 likes, 0 repeats
@oliof This sounds reasonable except the gap i see is by using LDAP and not a public key server there is no way for people outside of the company to know whos key to trust that claims to be part of the company.For example if someone in the company posts some software, or a letter or any conntent and an external user wants to see if they should trust them as a representative of the company and ensure they arent just an employee but authorized to validate releases or make particular decisions, how would they do that?
(DIR) Post #AP8P9BEVpXMOyKaRGK by vwbusguy@mastodon.online
2022-10-31T18:24:31Z
0 likes, 1 repeats
@freemo @oliof SSO is the Identity Provider (IdP) and LDAP is the Data Store layer, managed by an Identity Manager (IDM). LDAP shouldn't be exposed publicly, but SSO and key servers with data sources managed by an IDM are.
(DIR) Post #AP8P9s4OZ1ojpPBSxk by Hyolobrika@gleasonator.com
2022-10-31T18:24:53.328758Z
0 likes, 0 repeats
cc: @inference @itzzenxx
(DIR) Post #AP8PnaFWEvao8rK772 by freemo@qoto.org
2022-10-31T18:32:02Z
0 likes, 0 repeats
@vwbusguy So what software represents the IDM here?@oliof
(DIR) Post #AP8PzQYi5v4dYvwnvk by vwbusguy@mastodon.online
2022-10-31T18:34:09Z
0 likes, 0 repeats
@freemo @oliof FreeIPA is a good one:https://www.freeipa.org
(DIR) Post #AP8Q61kui6r8fDnpEe by freemo@qoto.org
2022-10-31T18:35:21Z
0 likes, 0 repeats
@vwbusguy Can you give me a breakdown in your mind of what software fills all the roles in an open source company... Who is the IDM, the identity provider, what software does the SSO, the LDAP, etc... specifically solutions that would work well with open pgp...Checking out free ipa now.@oliof
(DIR) Post #AP8QL2OmbNKz0BbnUm by vwbusguy@mastodon.online
2022-10-31T18:38:03Z
0 likes, 0 repeats
@freemo @oliof That really depends on your org. Last place where I was the Identity Architect, the IDM was internally built. The LDAP was a mix of OpenLDAP and Active Directory that was managed by that IDM tool and Grouper, from common sources. The Identity Provider for SSO was handled by both Apereo CAS and TIER's Shibboleth, and LDAP was also the authentication and authorization source for sssd logins, sudo, etc.
(DIR) Post #AP8QWyKnXRqRs7R41Q by vwbusguy@mastodon.online
2022-10-31T18:38:45Z
0 likes, 0 repeats
@freemo @oliof Many, many years ago (and multiple employers ago), I gave a talk on this at the So Cal Linux Expo:https://www.socallinuxexpo.org/scale12x/presentations/cas-and-shibboleth-open-source-your-identity
(DIR) Post #AP8QWyoZkjfFMTMqR6 by freemo@qoto.org
2022-10-31T18:40:14Z
0 likes, 0 repeats
@vwbusguy Thanks, all very helpful. I will be rethinking my original plan which was admitidly much simpler.@oliof
(DIR) Post #AP8QqU2Bu3vDgo2I0e by vwbusguy@mastodon.online
2022-10-31T18:43:36Z
0 likes, 0 repeats
@freemo @oliof Much simpler might be better. I was managing identity for an org with hundreds of thousands of entities. If that's not where you're at, you might not need something as elaborate, but the concepts are still helpful to understand so you'll have an idea of how to eventually grow and scale your stack.
(DIR) Post #AP8R36ge1Ivp2iyddI by freemo@qoto.org
2022-10-31T18:46:02Z
0 likes, 0 repeats
@vwbusguy My company is on the scale of 20 people, so yea, nno where near there. But we have some very high security concerns and are trying to do security on the level of a much larger corp... For example hardware full drive encryption everywhere. We are also a software company so we need to use our PGP identities to assure the public that content is authentic...All that said i dont plan onn replicating your setup, it is a bit much.. but i may take the idea and borrow from it in a simpler setup.@oliof
(DIR) Post #AP8RB3z7wveEyoPrO4 by vwbusguy@mastodon.online
2022-10-31T18:47:21Z
0 likes, 0 repeats
@freemo @oliof I very much understand those concerns. I currently work in a government sector job.
(DIR) Post #AP8RCCsWMxYCqss5Ro by vwbusguy@mastodon.online
2022-10-31T18:46:26Z
0 likes, 0 repeats
@freemo @oliof One thing I will say is that identity is pretty much always way more complicated to manage than most people imagine it is. A ton of stuff goes into that simple Single Sign On that end users (rightfully) entirely take for granted.
(DIR) Post #AP8RCDJ6m6omBLJJtA by freemo@qoto.org
2022-10-31T18:47:40Z
0 likes, 0 repeats
@vwbusguy When i started this I wasnt even thinking of doing single signn on at all.. was going to bastardize keyoxide and be donen with it... nnow i feel a SSO solution might not be a bad idea.@oliof
(DIR) Post #AP8REgjIM1fu0rjtRo by freemo@qoto.org
2022-10-31T18:48:09Z
0 likes, 0 repeats
@vwbusguy I used to do security clearance govt work, so yea I know the drill. @oliof
(DIR) Post #AP8W0pSTbV0Snk5DsW by inference@plr.inferencium.net
2022-10-31T19:41:24.779779Z
0 likes, 0 repeats
@freemo PGP, in any implementation, is awful and should be phased out as quickly as possible. PGP was created before security in computing became a real, widespread thing.This article explains the situation in its entirety:https://latacora.micro.blog/2019/07/16/the-pgp-problem.htmlHigh security projects such as GrapheneOS have already dropped PGP and switched to the superior OpenBSD Signify, which does a much better job at PKI signing, in a much safer way:https://www.openbsd.org/papers/bsdcan-signify.htmlage can be used as a superior PGP PKI signing replacement, again doing its job in a much better and safer way than PGP ever did or can:https://github.com/FiloSottile/age
(DIR) Post #AP8W51dSGuH9j5Df5U by inference@plr.inferencium.net
2022-10-31T19:42:11.941960Z
0 likes, 0 repeats
@freemo PGP, in any implementation, is awful and should be phased out as quickly as possible. PGP was created before security in computing became a real, widespread thing.This article explains the situation in its entirety:https://latacora.micro.blog/2019/07/16/the-pgp-problem.htmlHigh security projects such as GrapheneOS have already dropped PGP and switched to the superior OpenBSD Signify, which does a much better job at PKI signing, in a much safer way:https://www.openbsd.org/papers/bsdcan-signify.htmlage can be used as a superior PGP PKI encryption replacement, again doing its job in a much better and safer way than PGP ever did or can:https://github.com/FiloSottile/age
(DIR) Post #AP8W9ZMAq40nT9IqIq by freemo@qoto.org
2022-10-31T19:43:13Z
0 likes, 0 repeats
@inference Do either of these solutions have hardware encryption options similar to yubikey?
(DIR) Post #AP8WcPlVZufw7UuK1o by rqsd@borg.social
2022-10-31T19:46:33.312Z
1 likes, 0 repeats
@inference@plr.inferencium.net @freemo@qoto.orgThis is a mild aside, but I'm curious.switched to the superior OpenBSD Signify, which does a much better job at PKI signing, in a much safer wayThe one thing here that concerns me is that OpenBSD's signify(1) does not have support for hardware security modules. While I'm ignoring OpenBSD's security practices in this area, can I assume GrapheneOS does use a HSM to sign their build artifacts and merely uses signify(1) for verification?
(DIR) Post #AP8WcQpnbRhZR5vGM4 by inference@plr.inferencium.net
2022-10-31T19:48:13.107277Z
0 likes, 0 repeats
@rqsd @freemo > can I assume GrapheneOS does use a HSM to sign their build artifacts and merely uses signify(1) for verification?Yes. They use it for package signing:https://grapheneos.org/install/cli#obtaining-signify
(DIR) Post #AP8WhYSOgpvsWbQ41o by inference@plr.inferencium.net
2022-10-31T19:49:10.081025Z
0 likes, 0 repeats
@rqsd @freemo The OS itself is verified by Pixel's Titan M/M2 HSM and verified boot etc. Signify is used for signing the factory images as a first layer of trust when installing the OS.
(DIR) Post #AP8XEgqAXdOm58L3FQ by rqsd@borg.social
2022-10-31T19:52:47.231Z
1 likes, 0 repeats
@inference@plr.inferencium.net @freemo@qoto.orgI apologize, I think my question may have been unclear or misleading.The part I'm asking about is the GrapheneOS team's process in the background, i.e. the way they generate the *.sig files.If they use signify(1) to sign, then the signing keys are stored in files (that may be encrypted using a key derived from a passphrase). However, in this case, it cannot be stored in a hardware security module because signify has no support or awareness of HSMs of any kind. Hence, I wonder if they use signify on the backend or transform a signature obtained from an actual HSM into the signify signature format.
(DIR) Post #AP8XEhfDTqEQdSDooa by inference@plr.inferencium.net
2022-10-31T19:55:07.563544Z
0 likes, 0 repeats
@rqsd @freemo You'd have to contact the lead developer on Matrix or via email to find out. I haven't asked this question.What I do know is GrapheneOS builds and signs everything on a dedicated, offline server, completely isolated to everything else. They do use HSMs, but unsure to what extent.https://daniel.micay.dev/
(DIR) Post #AP8XKQxaUsrUZEY0Ei by freemo@qoto.org
2022-10-31T19:56:23Z
0 likes, 0 repeats
@inference The lack of HSM support for signify rules it out completely as an option for me.@rqsd
(DIR) Post #AP8Xiwoxgt7SKeCZou by freemo@qoto.org
2022-10-31T20:00:49Z
0 likes, 0 repeats
@oliof Not sure exactly how that is a problem.. I have revoked signatures before on keys i signed on public key servers and it worked just fine.The issue i see with running our own key server is that it wont federate with the popular key servers. Right now you put your key on a mainstream key server it will federate out to most others, not so if we run our own.This will potentially lead to some issue with people trying to figure out how to obtain our keys.
(DIR) Post #AP8Y4zK34TdgSdFgvI by rqsd@borg.social
2022-10-31T20:03:17.377Z
1 likes, 1 repeats
@inference@plr.inferencium.net @freemo@qoto.orgAnswering my own section by the power of open source:https://github.com/GrapheneOS/script (in particular release.sh, signify_prehash.sh) would suggest the signing key being stored encrypted and decrypted in a tmpfs under /dev/shm via openssl pkcs8 and a passphrase.
(DIR) Post #AP8YC7lI5m3if7Ogka by inference@plr.inferencium.net
2022-10-31T20:05:53.095680Z
0 likes, 0 repeats
@rqsd @freemo I don't doubt GrapheneOS or its lead developer in *any* security aspect. They are insanely good at what they do. Many patches to Linux, Android, LLVM etc were upstreamed by him.Chances are, if you're using a widely-used open source project, you're running some of his code.
(DIR) Post #APNdcIzLeXvL9AdpLM by duxsco@digitalcourage.social
2022-11-08T02:47:28Z
0 likes, 0 repeats
@freemo As DANE/CERT is obsolete in my eyes (https://dev.gnupg.org/T4618), I recommend WKD, if LDAP is out of the question for you. In contrast to a keyserver, the domain owner must play an active role in setting up WKD. This provides some kind of proof for the authenticity of the hosted public keys. Furthermore, 3rd party signatures are fetched over WKD, but not over HKPS (see: https://bugs.gentoo.org/878479). This allows for the setup of a centralised CA as done by the Gentoo Linux project (https://www.gentoo.org/glep/glep-0079.html). Here are some links that may provide some inspiration in this regard: https://youtu.be/RV1E_DjhCX0?t=1865 and https://sequoia-pgp.org/blog/2021/05/12/202105-hello-openpgp-ca/