[guardian-dev] Clean Room: Making pgp master keys easy

Fri Jul 20 12:34:59 EDT 2012

The basic idea is that we  want to safely manage a long-term
identity/signing GnuPG key that exists only in a secure computing
environment.

With PGP it is risky to keep keys indefinitely when they are used on
insecure environments. If you use the same encryption key, once its
broken, you don't have perfect forward secrecy and potentially all
your old communications can be decrypted. A reasonable solution that
many employ is the keep an 'offline' master/long-term-identity key
that is only used to sign subkeys and participate in the web of trust.
This is the key tied to your identity. Then you can keep two subkeys
for signing and encryption that are used for everyday communications
that you rotate out every X amount of time. This is a reasonable
solution, but the difficultly of setting it up correctly makes it seem
like quite an elaborate setup and it often isn't done.

This project aims to create some definition of 'secure environment'
that makes it really easy to manage your master key. Usability has to
be balanced with security here. Everything is still up for discussion,
but the current plan would allow the secure environment to only
contact a key server (strict firewall rules, cert pinning). This would
make it easy to publish your keys and sign other's keys. The hope is
that this project might create an offline version if there is enough
interest. But, as Hans mentioned, we aren't convinced that the threat
of shuffling USB keys back and forth is much less then having
extremely limited network access on a liveCD.  Ultimately, the whole
process isn't terribly long so documentation on how to do everything
manually can be published for those who want/need a very specific or
custom workflow.

On Fri, Jul 20, 2012 at 12:31 PM, Hans-Christoph Steiner
<hans at guardianproject.info> wrote:
>
> I just added a bit to the wiki about ideas for the OS setup.  We are
> first trying to nail down the whole threat model and how to make that as
> usable as possible.  We're currently thinking that the OS will boot up
> with extremely limited network access, basically no services running at
> all, all inbound ports dropped, and all outbound traffic dropped except
> for a very small whitelist of key servers and perhaps an SMTP server for
> sending encrypted mails that include the signatures.
>
> It seems to us that the threat level of shuffling a USB key around with
> the signature files are about the same as this super locked down network
> method.  And the network method would be a lot easier to use.  But
> that's still very much up for discussion.
>
> .hc
>
> On 07/20/2012 11:56 AM, Abel Luck wrote:
>> Hey all,
>>
>> We're presenting an outline for a new project: Clean Room.
>>
>> Clean Room will be a linux livecd (usb) + application combo that
>> provides a secure, usable environment for managing GPG keys offline.
>>
>> Check out the wiki page and the mockups we have so far.
>>
>> https://guardianproject.info/wiki/CleanRoom
>> https://guardianproject.mybalsamiq.com/projects/gpgcleanroom/grid
>>
>> Abel
>>
>>
>>
>> _______________________________________________
>> Guardian-dev mailing list
>>
>> Post: Guardian-dev at lists.mayfirst.org
>> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>
>> To Unsubscribe
>>         Send email to:  Guardian-dev-unsubscribe at lists.mayfirst.org
>>         Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/hans%40guardianproject.info
>>
>> You are subscribed as: hans at guardianproject.info
>>
> _______________________________________________
> Guardian-dev mailing list
>
> Post: Guardian-dev at lists.mayfirst.org
> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>
> To Unsubscribe
>         Send email to:  Guardian-dev-unsubscribe at lists.mayfirst.org
>         Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/patrickbx%40gmail.com
>
> You are subscribed as: patrickbx at gmail.com