πŸ’Ύ Archived View for gemi.dev β€Ί gemini-mailing-list β€Ί 000789.gmi captured on 2023-12-28 at 15:52:43. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2023-11-04)

🚧 View Differences

-=-=-=-=-=-=-

Enhancing TOFU

1. nothien (a) uber.space (nothien (a) uber.space)

Hi!

I think that people find TOFU controversial because it removes the
ability for clients to verify the authenticity of servers they've never
connected to before and it prevents servers from ever being able to
change certificates.  I think that both of these issues are solvable
while keeping with the spirit of Gemini.

xq (on IRC) proposed the concept of 'distributed trust' lists, which are
simply lists associating domains with public keys (i.e. their hashes).
Gemini servers and clients can then distribute and verify trust lists,
and can even merge trust lists from different sources together.  This
neatly solves the first problem, by allowing clients to check their
trust lists to determine the public key of a server and so to
authenticate them even in the first connection.

Here's xq's post about their idea:
=> gemini://random-projects.net/blog/2021-03-03-distributed-trust.gemini

I propose an extension to this, which allows servers to announce their
intention (in a verifiable way) to change certificates in the near
future.  Essentially, servers now provide (over Gemini) a '/.pubkey' URL
where they serve the hash of the public key they will use in the near
future (which may be the same as the public key they use right now).
Clients can periodically request '/.pubkey' to check if the server
intends to change their pubkey soon.  In later connections, the server
will either use the current pubkey or the previously-announced future
pubkey - if clients see the latter being used, they know that the server
has transitioned to using this future pubkey and so can drop the
previous pubkey.  This provides a safe method for verifying server
certificates, even when they are rotated.

There are a few more details, which you can read about on my blog post:
=> gemini://gemini.ctrl-c.club/~aravk/blog/2021-03-04-distributed-trust.gmi

The exact format used and various smaller details can be tweaked as we
see fit, but I'm looking for thoughts on the general concept.  I know
that there are some voices for permanently using a single certificate,
but I personally prefer rotating certs and I think that the perma-cert
people don't lose out at all in this.

Any (constructive) feedback is appreciated.

~aravk | ~nothien

Link to individual message.

2. Drew DeVault (sir (a) cmpwn.com)

I disagree with any feature which involves the client periodically
requesting a specific file from the server, for reasons we should
probably not re-hash.

Why use a technical solution when a social solution would be suitable? A
much easier way is to simply announce the upcoming cert change in your
gemlog.

Link to individual message.

3. Petite Abeille (petite.abeille (a) gmail.com)

Hello,

> On Mar 5, 2021, at 13:33, nothien at uber.space wrote:
> 
> => gemini://random-projects.net/blog/2021-03-03-distributed-trust.gemini
> => gemini://gemini.ctrl-c.club/~aravk/blog/2021-03-04-distributed-trust.gmi

Thank you for sharing. Appreciating the engagement.

Not sure how to put it "constructively", but this looks... unfinished.

But ok, let's suspend disbelieve for a second, and assume you have solved 
the decentralized trust conundrum on your own ? minus blocks, minus 
chains, plus something. 

First off, congrats! :)

This is a major achievement - a breakthrough in computer science, as 
understood by the  security community at large.

Question: are you going to publish a proper white paper on it ? and have 
it peer reviewed?

By "peer", I don't means some pesky insects on some god forsaken corner of 
the interweb. More like proper scrutiny. Probing. By actual security experts.

Sorry to rain on your parade, but truly, I cannot muster anything 
supportive to say at all. Apologies. Nothing personal.

Meanwhile, perhaps I could interest you in keybase:

https://en.wikipedia.org/wiki/Keybase

Specifically, their take on identity proofs.

Perhaps of interest.

?0?

Link to individual message.

4. Petite Abeille (petite.abeille (a) gmail.com)



> On Mar 5, 2021, at 13:47, Drew DeVault <sir at cmpwn.com> wrote:
> 
> Why use a technical solution when a social solution would be suitable? A
> much easier way is to simply announce the upcoming cert change in your
> gemlog.

Because of the scale of the network.

Such "social" approach works in the small, but doesn't scale.

It simply moves the problem around: now the burden of proof is on the user 
to check some sort of "announcements" and act on it meaningfully. Each and 
every single time.

In my personal experience, this will never fly.

YMMV for sure.

?0?

Link to individual message.

5. Petite Abeille (petite.abeille (a) gmail.com)



> On Mar 5, 2021, at 13:33, nothien at uber.space wrote:
> 
> Any (constructive) feedback is appreciated.

This is the only thing I could find:

https://www.gocomics.com/nonsequitur/2021/03/05

?0?

Link to individual message.

6. nothien (a) uber.space (nothien (a) uber.space)

"Drew DeVault" <sir at cmpwn.com> wrote:
> I disagree with any feature which involves the client periodically
> requesting a specific file from the server, for reasons we should
> probably not re-hash.

The intention is not for ordinary clients to have to do this (unless
they want to), but for servers distributing these trust lists to perform
this verification/update.

> Why use a technical solution when a social solution would be suitable?
> A much easier way is to simply announce the upcoming cert change in
> your gemlog.

Petite Abeille has addressed this neatly:

> Because of the scale of the network.
> 
> Such "social" approach works in the small, but doesn't scale.
> 
> It simply moves the problem around: now the burden of proof is on the
> user to check some sort of "announcements" and act on it meaningfully.
> Each and every single time.

~aravk | ~nothien

Link to individual message.

7. mbays (a) sdf.org (mbays (a) sdf.org)



>I think that people find TOFU controversial because it [...] prevents 
>servers from ever being able to change certificates.

Yes, this is a real problem. Even with a long-lived certificate you will 
need to change it eventually to keep up with developments in 
cryptography.

But I think we can solve this neatly by using certificate chains. If you 
have a certificate which is trusted by many users and want to rotate to 
a new certificate, sign the new certificate with the old one (treating 
it as a CA) and have your server present the old certificate and the new 
one as a chain. Then users will be able to see that they should carry 
over their trust in the old certificate to the new one.

Clients should either warn the user about the change while providing 
enough information that the user can see what has happened, or could 
optionally automatically transfer trust to a cert signed by a previously 
trusted cert for the same domain (being careful about wildcards!).

Some clients already provide enough information, i.e. fingerprints for 
the old trusted cert and all certs in the new chain. But I see that not 
all do.

I tested the signing process, and it seems straightforward. Here's what 
I did, but please don't slavishly copy this; this is the result of a few 
minutes with man openssl-x509, and I may be missing some important steps 
(e.g. I ignored serial numbers, which I *think* makes sense, but maybe 
I'm missing something):
 ```
gemcert -server mydomain
openssl x509 -CA old.crt -CAkey old.key -in mydomain.crt -out signed.crt
cat signed.crt old.crt > chain.crt
 ```
Now give chain.crt and mydomain.key to your server.
Here old.crt was also generated by gemcert.

Am I missing something, or does this make sense?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://lists.orbitalfox.eu/archives/gemini/attachments/20210305/6800
469b/attachment.sig>

Link to individual message.

8. Stephane Bortzmeyer (stephane (a) sources.org)

On Fri, Mar 05, 2021 at 01:33:49PM +0100,
 nothien at uber.space <nothien at uber.space> wrote 
 a message of 44 lines which said:

> I propose an extension to this, which allows servers to announce
> their intention (in a verifiable way) to change certificates in the
> near future.  Essentially, servers now provide (over Gemini) a
> '/.pubkey' URL where they serve the hash of the public key they will
> use in the near future (which may be the same as the public key they
> use right now).

And Drew deVault who said that using Let's Encrypt was too complicated
:-) Anything that requires such operations does not seem to fit with
the principles of Gemini. (And I speak from experience managing DNSSEC
key rollovers.)

Also, this proposal does not address unplanned emergency changes (such
as one triggered by a compromise of the private key). They are one of
the biggest problems with TOFU.

Link to individual message.

9. Stephane Bortzmeyer (stephane (a) sources.org)

On Fri, Mar 05, 2021 at 01:33:49PM +0100,
 nothien at uber.space <nothien at uber.space> wrote 
 a message of 44 lines which said:

> I propose an extension to this, which allows servers to announce
> their intention (in a verifiable way) to change certificates in the
> near future.

Gemini already has one way to announce this intention. To quote the
spec, "If the certificate is not the one previously received, BUT THE
PREVIOUS CERTIFICATE'S EXPIRY DATE HAS NOT PASSED, the user is shown a
warning". So, to announce your intention to change the certificate,
just say so in the expiration date (notAfter field).

Agunua <gemini://gemini.bortzmeyer.org/software/agunua/> does it in a
more liberal way, accepting a change if there is less than 10 % of the
former certificate life remaining:

# We accept a slack of 10 % of the certificate lifetime, or 7 days, whatever is smaller.
slack = old_lifetime/10
if datetime.timedelta(days=7) < old_lifetime/10:
    slack = datetime.timedelta(days=7)
if self.keystring != old_key:
    if datetime.datetime.utcnow() >= (old_expiration - slack):
          pass # OK, it is expired or soon to be
    else:
          error = "Former public key at %s was %s, new one is %s. ...

Link to individual message.

10. BjΓΆrn WΓ€rmedal (bjorn.warmedal (a) gmail.com)

On Mon, 8 Mar 2021 at 13:28, Stephane Bortzmeyer <stephane at sources.org> wrote:
> Gemini already has one way to announce this intention. To quote the
> spec, "If the certificate is not the one previously received, BUT THE
> PREVIOUS CERTIFICATE'S EXPIRY DATE HAS NOT PASSED, the user is shown a
> warning". So, to announce your intention to change the certificate,
> just say so in the expiration date (notAfter field).

In other words broadcast to potential attackers when the best time to
do a MitMA is :)

If clients silently accept new certificates this gets even worse,
because it opens a window where the attack can happen without anyone
knowing.

A certificate that's valid for 90 days, ending 9 days from now, can
silently be replace by another certificate with the same
not-valid-before and not-valid-after, allowing the attacker 9 days of
unnoticed operation.

I think we've pretty much laid out all the pros and cons of TOFU as a
validation scheme. I personally believe there is very little benefit
to trying to make it more secure, compared to the added complexity.

We need to clarify the spec around what TOFU means for clients and
servers, and that includes removing advice like "check
not-valid-before, hostname, and not-valid-after" and that certificates
should be rotated.

Or we need to decide to not use TOFU. I'm not going to reiterate the
alternatives I see, but suffice to say that I think this is an issue
of "decide which set of pros and cons to accept".

Cheers,
ew0k

Link to individual message.

11. Stephane Bortzmeyer (stephane (a) sources.org)

On Mon, Mar 08, 2021 at 01:38:24PM +0100,
 Bj?rn W?rmedal <bjorn.warmedal at gmail.com> wrote 
 a message of 34 lines which said:

> We need to clarify the spec around what TOFU means for clients and
> servers,

The issue on this in the specification is #5
<https://gitlab.com/gemini-specification/protocol/-/issues/5>

Link to individual message.

12. Thomas Frohwein (tfrohwein (a) fastmail.com)

I have written up how clients and servers can support out-of-band pubkey
verification to add a higher level of trust where needed. My opinion is
that for 99% of connections made by most clients, TOFU provides sufficient
security. For those situations where TOFU is judged by the user to be
insufficiently secure, clients can (sic) offer a variety of different
ways to support easy out-of-band verification.

I call this approach "Trust, but Verify (where appropriate)."

In a nutshell, 3 security levels would be offered and displayed by a
client following this, the first 2 of which are already part of TOFU:

- red: untrusted, mostly if certificate mismatch is encountered
- yellow: trusted, likely the large majority of all connections,
          here the host cert matches the known host of the same name
- green: verified - cert matches known host, plus the client has
         matched the cert with an out-of-band digest of the cert,
         confirming the identity of the server. This would be useful
         for connections involving sensitive information.

The details should be left to the client, with some technically simple
examples provided (entering/pasting pubkey hash, random art like
'ssh-keygen -lv'). A variety of technically more complicated ways to
confirm the pubkey like TLSA, DANE, TXT records could fall into this
approach, too, but I think it could be left up to the client and servers
what ways to offer to support the verification.

The full write-up is hosted here:

gemini://thfr.info/gemini/modified-trust-verify.gmi

thfr

Link to individual message.

13. mbays (mbays (a) sdf.org)



>* Friday, 2021-03-05 at 13:33 +0100 - nothien at uber.space <nothien at uber.space>:
>
>>I think that people find TOFU controversial because it [...] 
>>prevents servers from ever being able to change certificates.
>I think we can solve this neatly by using certificate chains.

I experimented a bit more with this, and discovered that chains can be 
awkward. Not all servers support sending a certificate chain, TLS 
libraries may complain if the root cert isn't set as a CA, and we lose 
the efficiency savings of only transmitting a single cert.

But there's a much simpler version which avoids chains.
If your server is currently using certificate A and you want to switch 
to a new certificate:

     (e.g. using openssl x509 -CA A.crt ...)


The signature on a self-signed certificate is worthless, so we lose 
nothing by replacing it with a signature from the old certificate in 
this way.

Clients can check for this as follows:

correctly signed by the pubkey of the old certificate.

there should be a warning if the old certificate had expired.

I experimented a bit with this, and the only small complication I ran 
into is that tls libraries may complain if the Distinguished Names of 
the two certificates are identical (at least, the haskell tls library 
I tested with does). But it isn't hard to include a field in the DN of 
the new certificate to make it unique.

So why don't we make this a convention? Any subtleties I'm missing?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://lists.orbitalfox.eu/archives/gemini/attachments/20210309/98e3
0cd9/attachment.sig>

Link to individual message.

14. (nothien (a) uber.space)

mbays <mbays@sdf.org> wrote:
> But there's a much simpler version which avoids chains.
> If your server is currently using certificate A and you want to switch 
> to a new certificate:
> * create a new self-signed certificate C with key K,
> * sign it with A to produce a signed certificate S,
>      (e.g. using openssl x509 -CA A.crt ...)
> * tell your server to use S and K.
> 
> So why don't we make this a convention? Any subtleties I'm missing?

The big issue with this is, what if a client misses a certificate
update?  If the server's first cert is A (self-signed because it has no
previous certs), second cert is B (signed with A) and third cert is C
(signed with B).  If a client connects to the server when it is using A,
they will save A, which works fine.  But if they then don't connect to
the server for a while, and the server now uses C, then there is no
direct trust from A to C (unless you provide the entire B cert during
the verification, which is just cert chains all over again), and the
client cannot verify the server.

One solution to this is what I had originally proposed on this thread:
get 'trust servers' to periodically check in on servers (either using my
original /.pubkey based idea or checking if the server cert is signed
with the previous one), and to share lists of verified servers with
clients.  This /still/ doesn't solve the issue where a server's cert is
compromised.

~aravk | ~nothien

Link to individual message.

15. N. Cherneshevsky (nfc (a) tilde.institute)

On Wed, Mar 10, 2021 at 07:50:32AM +0100, nothien@uber.space wrote:
> mbays <mbays@sdf.org> wrote:
> > But there's a much simpler version which avoids chains.
> > If your server is currently using certificate A and you want to switch 
> > to a new certificate:
> > * create a new self-signed certificate C with key K,
> > * sign it with A to produce a signed certificate S,
> >      (e.g. using openssl x509 -CA A.crt ...)
> > * tell your server to use S and K.
> > 
> > So why don't we make this a convention? Any subtleties I'm missing?
> 
> The big issue with this is, what if a client misses a certificate
> update?  If the server's first cert is A (self-signed because it has no
> previous certs), second cert is B (signed with A) and third cert is C
> (signed with B).  If a client connects to the server when it is using A,
> they will save A, which works fine.  But if they then don't connect to
> the server for a while, and the server now uses C, then there is no
> direct trust from A to C (unless you provide the entire B cert during
> the verification, which is just cert chains all over again), and the
> client cannot verify the server.
> 

OpenSSH has had host key rotation since March 2015. There's a LWN
article which describes the strategy, https://lwn.net/Articles/637156/

I believe OpenSSH solves the issue you raise here by sending all its
keys to the client. (I'm no expert here. I could be wrong.)

Link to individual message.

16. mbays (mbays (a) sdf.org)



> mbays <mbays@sdf.org> wrote:
>> * sign it with A to produce a signed certificate S,
>> 
>> So why don't we make this a convention? Any subtleties I'm missing?
> 
> The big issue with this is, what if a client misses a certificate
> update?

Yes, this isn't a perfect robust system, and doesn't make sense if you 
want to rotate certificates frequently. But I'm imagining that rotating 
would be something you do only very rarely.

Why would you want to rotate out your current keypair?


As long as you set distant expiration dates, it seems reasonable to expect 
at least a few years between any of these applying. So just having each 
certificate sign the next seems like it would deal with most situations, 
and adds no new protocol complexity or traffic costs.

Link to individual message.

17. Jonathan Lane (jon (a) dorsal.tk)

Certificate rotation and management without downtime is a hard problem to 
get correct in the general sense, and is basically why layered PKI exists 
at all, so that leaf nodes can change more often than intermediates more 
often than roots.  The easiest way to avoid this problem is to not expose 
your capsule to the Internet until you've got a real certificate for it, 
from Let's Encrypt or similar.


Sent with ProtonMail Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Wednesday, March 10, 2021 10:21 AM, mbays <mbays@sdf.org> wrote:

> -   Wednesday, 2021-03-10 at 07:50 +0100 - nothien@uber.space nothien@uber.space:
>
> > mbays mbays@sdf.org wrote:
> >
> > > -   sign it with A to produce a signed certificate S,
> > >
> > > So why don't we make this a convention? Any subtleties I'm missing?
> >
> > The big issue with this is, what if a client misses a certificate
> > update?
>
> Yes, this isn't a perfect robust system, and doesn't make sense if you 
want to rotate certificates frequently. But I'm imagining that rotating 
would be something you do only very rarely.
>
> Why would you want to rotate out your current keypair?
>
> -   Advances in cryptography mean you want to switch to a new algorithm.
>
> -   You fear the key might have been compromised.
>
> -   You want to add a wildcard in the CN, e.g. x.y.z -> *.y.z.
>
> -   The certificate is about to expire.
>
> -   Other exceptional circumstances I haven't thought of.
>
>     As long as you set distant expiration dates, it seems reasonable to 
expect at least a few years between any of these applying. So just having 
each certificate sign the next seems like it would deal with most 
situations, and adds no new protocol complexity or traffic costs.
>

Link to individual message.

---

Previous Thread: [ANN] Release 1.0 of MastoGem

Next Thread: [tech] coopting keybase for fun & profit