On Mon, Jul 2, 2018 at 2:23 PM Alec Warner <anta...@gentoo.org> wrote: > > We might reduce the complexity here by saying things like: > > "We have N trust levels" >
I snipped most of your text because I didn't really see a natural way to include only some of it, though this really pertains to most of it, and I didn't want to quote the whole thing. I think that getting to a point where you can trust dev A and not trust dev B is probably something that should be viewed as a future goal, because the reality is that there are few devs you aren't depending on in some way. I do think that moving from trusting infra to trusting all the devs is an improvement though. Today you have to trust infra, and infra trusts all the devs, so you're implicitly trusting them anyway. That means that you can't distribute the tree without going through infra, and it means that infra keys are a weak point, and those keys are necessarily accessible by automated processes on machines that are network-reachable. Sure, they could be in HSMs/etc, but those HSMs still will sign whatever they're given by the automated process because there is no human in the loop. If you just go straight to verifying dev keys then infra is less of a bottleneck (it opens new distribution options without compromising security), and now all the keys are potentially in hardware modules that don't have to just blindly sign whatever they're given, and which are not online most of the time. That isn't perfect because a rooted box could probably still MITM the module, but it is an improvement. -- Rich
