Archived
15
23
Fork
You've already forked meta
6

Set up OpenPGP WKD #39

Closed
opened 2022年11月19日 08:28:22 +01:00 by caesar · 9 comments
Member
Copy link

We should set up WKD for our OpenPGP public keys. This aids discovarability and authentication of the keys and is effectively a federated alternative to keyservers.

The easy way is to publish the keys to keys.openpgp.org (which we need to do anyway) and delegate to them via a DNS record like this:

openpgpkey.forgejo.org. 300 IN CNAME wkd.keys.openpgp.org.

The alternative is to self-host the keys on our own domain at the .well-known/openpgpkey/hu/ path. It is complicated to calculate the required filenames but there are generators.

We should set up [WKD](https://wiki.gnupg.org/WKD) for our OpenPGP public keys. This aids discovarability and authentication of the keys and is effectively a federated alternative to keyservers. The easy way is to publish the keys to [keys.openpgp.org](https://keys.openpgp.org) (which we need to do anyway) and [delegate to them](https://keys.openpgp.org/about/usage#wkd-as-a-service) via a DNS record like this: ``` openpgpkey.forgejo.org. 300 IN CNAME wkd.keys.openpgp.org. ``` The alternative is to [self-host](https://wiki.gnupg.org/WKDHosting) the keys on our own domain at the `.well-known/openpgpkey/hu/` path. [It is complicated to calculate the required filenames](https://datatracker.ietf.org/doc/html/draft-koch-openpgp-webkey-service#section-3.1) but [there are generators](https://keyoxide.org/util/wkd).
Author
Member
Copy link

There is also a conversation to be had (maybe deserving of its own issue...) regarding exactly what OpenPGP keys we should have and what addresses should be on them.

Obviously releases and security both need their own keys, and those have both already been created.

  • The security key has the email address security@forgejo.org. Only @Gusted currently has the private key.
  • The releases key (which is as-yet unpublished) has the email address contact@forgejo.org. I think this should be changed to the release team's email address, release@forgejo.org.

That would leave open the possibility to create a "general" keypair for contact@forgejo.org, which could be used for a Keyoxide proofs verifiably linking together our various online points of presence.
However, the addition of a third key could complicate matters, and arguably there would be no need for it in addition to the security key. Therefore an alternative would be to add contact@forgejo.org as a second address on the security key and turn it into a generic key.

There is also a conversation to be had (maybe deserving of its own issue...) regarding exactly what OpenPGP keys we should have and what addresses should be on them. Obviously releases and [security](https://codeberg.org/forgejo/meta/issues/37) both need their own keys, and those have both already been created. - [The security key](https://keys.openpgp.org/search?q=1B638BDF10969D627926B8D9F585D0F99E1FB56F) has the email address `security@forgejo.org`. Only @Gusted currently has the private key. - The releases key (which is as-yet unpublished) has the email address `contact@forgejo.org`. [I think this should be changed](https://codeberg.org/forgejo/forgejo/issues/4#issuecomment-690595) to the release team's email address, `release@forgejo.org`. That would leave open the possibility to create a "general" keypair for `contact@forgejo.org`, which could be used for a Keyoxide proofs verifiably linking together our various online points of presence. However, the addition of a third key could complicate matters, and arguably there would be no need for it in addition to the security key. Therefore an alternative would be to add `contact@forgejo.org` as a second address on the security key and turn it into a generic key.

@Gusted could you please send me the private key for the security key at loic@dachary.org encrypted with https://codeberg.org/dachary.gpg for safekeeping?

@Gusted could you please send me the private key for the security key at loic@dachary.org encrypted with https://codeberg.org/dachary.gpg for safekeeping?

@caesar my intuition here is that releases and security are likely to remain two different group of people with two different threat models and are better served with two keys managed independently rather than a single one.

I think it makes sense to use the release signing key as the "general" keypair that you describe. Its primary use is to sign releases and, as a forgejo user, I would not expect to find a keypair for contact@forgejo.org that does not allow me to verify releases.

@caesar my intuition here is that releases and security are likely to remain two different group of people with two different threat models and are better served with two keys managed independently rather than a single one. I think it makes sense to use the release signing key as the "general" keypair that you describe. Its primary use is to sign releases and, as a forgejo user, I would not expect to find a keypair for `contact@forgejo.org` that does not allow me to verify releases.
Author
Member
Copy link

@caesar my intuition here is that releases and security are likely to remain two different group of people with two different threat models and are better served with two keys managed independently rather than a single one.

Absolutely. I didn't mean to suggest that those two should be combined, although I can see that I wasn't very precise with my wording.

I think it makes sense to use the release signing key as the "general" keypair that you describe. Its primary use is to sign releases and, as a forgejo user, I would not expect to find a keypair for contact@forgejo.org that does not allow me to verify releases.

That's an interesting idea, I hadn't thought of that. It could indeed make sense.
In that case I would propose that:

  • The main key be renamed from Forgejo Releases to Forgejo
  • A subkey be used for signing releases (this is already the case I believe as you have already created a signing-only subkey with a one-year validity).

If you agree that the above makes sense, I will go ahead and add Keyoxide identity proofs for the domain and the Codeberg org to that key.

> @caesar my intuition here is that releases and security are likely to remain two different group of people with two different threat models and are better served with two keys managed independently rather than a single one. Absolutely. I didn't mean to suggest that those two should be combined, although I can see that I wasn't very precise with my wording. > I think it makes sense to use the release signing key as the "general" keypair that you describe. Its primary use is to sign releases and, as a forgejo user, I would not expect to find a keypair for `contact@forgejo.org` that does not allow me to verify releases. That's an interesting idea, I hadn't thought of that. It could indeed make sense. In that case I would propose that: - The main key be renamed from `Forgejo Releases` to `Forgejo` - A subkey be used for signing releases (this is already the case I believe as you have already created a signing-only subkey with a one-year validity). If you agree that the above makes sense, I will go ahead and add Keyoxide identity proofs for the domain and the Codeberg org to that key.

@caesar you have me convinced, I will change the id of the release keypair to be release@forgejo.org rather than contact@forgejo.org.

@caesar you have me convinced, I will change the id of the release keypair to be `release@forgejo.org` rather than `contact@forgejo.org`.
Author
Member
Copy link

Haha well I was also convinced by your suggestion, so we have succesfully swapped opinions 😉

I'm fine with it either way really but I do find your argument convincing that the master key currently used for signing could be the main master key for the organisation, rather than creating a third key. It would probably be simpler in organisation terms than my previous suggestion.

Haha well I was also convinced by your suggestion, so we have succesfully swapped opinions 😉 I'm fine with it either way really but I do find your argument convincing that the master key currently used for signing could be the main master key for the organisation, rather than creating a third key. It would probably be simpler in organisation terms than my previous suggestion.

The release key can be used for a generic purpose although it has a release@forgejo.org email, I think. I suppose people who have some GPG expertise (they are very rare but also very precious) won't be disoriented by the fact that the email is not contact@forgejo.org.

The release key can be used for a generic purpose although it has a `release@forgejo.org` email, I think. I suppose people who have some GPG expertise (they are very rare but also very precious) won't be disoriented by the fact that the email is not `contact@forgejo.org`.
Author
Member
Copy link

I have now implemented WKD delegation as described in the first post of this issue.

This means than any keys which are published to keys.openpgp.org will automatically be available via WKD.

In the future if we prefer we can always switch to the more complicated route of "self-hosting" WKD.

I have now implemented WKD delegation as described in the first post of this issue. This means than any keys which are published to `keys.openpgp.org` will automatically be available via WKD. In the future if we prefer we can always switch to the more complicated route of "self-hosting" WKD.

@dachary I've send over the secret GPG key.

@dachary I've send over the secret GPG key.
Commenting is not possible because the repository is archived.
No Branch/Tag specified
readme
No results found.
Labels
Clear labels
[Decision] Building proposal(s)
We're in a decision-making process, buiding one or more proposals to address the shared aim based on the criteria
[Decision] Gathering criteria
We're in a decision-making process, gathering criteria, considerations and needs
[Decision] Integrating concerns
We're in a decision-making process, working with a proposal, trying to integrate concerns and create modifications/support such that the proposal works for everyone
Accessibility
Relates to Accessibility (a11y) of product, project and process.
Agreement proposal
Forgejo agreement proposal, following a discussion
Communication
Relates to all channels, social media, website, blog posts.
Election
Process of appointing a person into a role or team (if choosing people just for a specific one-time task, use the Entrustment label)
Entrustment
Process of choosing/approving specific people to do a critical/high-impact one-time task (if choosing people for an ongoing role/team, use the Election label)
Governance
Relates to processes, procedures and decision-making.
Meeting
An upcoming team meeting
User research - Accessibility
Requires input about accessibility features, likely involves user testing.
User research - Blocked
Do not pick as-is! We are happy if you can help, but please coordinate with ongoing redesign in this area.
User research - Community
Community features, such as discovering other people's work or otherwise feeling welcome on a Forgejo instance.
User research - Config (instance)
Instance-wide configuration, authentication and other admin-only needs.
User research - Errors
How to deal with errors in the application and write helpful error messages.
User research - Filters
How filter and search is being worked with.
User research - Future backlog
The issue might be inspiring for future design work.
User research - Git workflow
AGit, fork-based and new Git workflow, PR creation etc
User research - Labels
Active research about Labels
User research - Moderation
Moderation Featuers for Admins are undergoing active User Research
User research - Needs input
Use this label to let the User Research team know their input is requested.
User research - Notifications/Dashboard
Research on how users should know what to do next.
User research - Rendering
Text rendering, markup languages etc
User research - Repo creation
Active research about the New Repo dialog.
User research - Repo units
The repo sections, disabling them and the "Add more" button.
User research - Security
User research - Settings (in-app)
How to structure in-app settings in the future?
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
3 participants Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
forgejo/meta#39
Reference in a new issue
forgejo/meta
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?