You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: tap8.md
+28-58Lines changed: 28 additions & 58 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,9 +1,9 @@
1
1
* TAP: 8
2
2
* Title: Key rotation and explicit self-revocation
3
3
* Version: 2
4
-
* Last-Modified: 16-Nov-2022
4
+
* Last-Modified: 26-Mar-2024
5
5
* Author: Hannes Mehnert, Justin Cappos, Marina Moore
6
-
* Status: Draft
6
+
* Status: Accepted
7
7
* Content-Type: text/markdown
8
8
* Created: 10-May-2017
9
9
@@ -30,26 +30,12 @@ Snapshot and timestamp cannot use this rotation mechanism.
30
30
31
31
Conceptually, the rotation process says if you trusted threshold of keys
32
32
X = X_0, ... X_n, now instead trust threshold of keys Y = Y_0, ... Y_n. Rotation
33
-
of a key may be performed any number of times, transferring trust from X to Y, then
33
+
of a role may be performed any number of times, transferring trust from X to Y, then
34
34
from Y to Z, etc. Trust can even be transferred back from Z to X, allowing a key
35
35
to be added to a role, then later removed. If a single key needs to be replaced,
36
36
it can be safely rotated using the mechanism in this TAP.
37
37
38
-
The mechanism in this TAP has an additional use case: if a rotation
39
-
to a null key is detected, it causes the role to no longer be trusted.
40
-
A role could use a rotation to a null key if they suspect a threshold of keys
41
-
have been compromised
42
-
(a lost hard drive, system breach, etc). The role is able to create a
43
-
rotation to null without the help of the delegator, so they are able to
44
-
explicitly revoke trust in the role immediately, improving response time
45
-
to a key compromise. A rotation to a null key revokes trust in the role,
46
-
not specific keys, so all keys associated with the role will be invalid
47
-
after a rotation to null. The client will detect a rotation
48
-
to a null key and treat it as if the metadata was unsigned.
49
-
50
-
A delegator to a role A is able to help A recover from a rotation to null of A by
51
-
delegating to a new set of keys for A with a new role name.
52
-
Additionally, a delegator can overrule a rotate file by delegating to a new role
38
+
A delegator can overrule a rotate file by delegating to a new role
53
39
with a new set of keys. This ensures that the delegator is still the source of
54
40
trust, but allows the role to act independently.
55
41
@@ -71,7 +57,7 @@ delegations to be redone whenever this quorum changed.) Adding and
71
57
removing delegations of a project often uses the project role's key which is
72
58
delegated to. This project role gives persons with access to it elevated
73
59
privileges, and needs intervention from a higher level of delegations if
74
-
it needs to be rotated or revoked.
60
+
it needs to be rotated.
75
61
76
62
With TAP 8, the delegation can be assigned to a role (that contains a set
77
63
of keys and a threshold value). Developers could then collectively sign
@@ -130,15 +116,15 @@ role T to delegate to the new keyset e. If one of role D's keys is
130
116
compromised, they have to wait for role T to replace the key with a new,
131
117
trusted key.
132
118
133
-
With this proposal, the owner of role D can replace their own key, and also
134
-
revoke their key without relying on the delegator. This will improve
119
+
With this proposal, the owner of role D can replace their own key
120
+
without relying on the delegator. This will improve
135
121
response time to key compromises and prevent key sharing by allowing keys to be
136
122
rotated more regularly. Combined with multi-role delegations this allows
137
123
project teams to shrink and grow without delegation to a project key.
138
124
139
125
TUF already contains a key rotation mechanism, which is only specified
140
126
and used for the root file. This proposal allows the rotation
141
-
mechanism to be used by other delegations, and extends it with self-revocation.
127
+
mechanism to be used by other delegations.
142
128
143
129
144
130
# Specification
@@ -152,7 +138,7 @@ delegations stay intact, the targets can rotate keys, remove keys, or add keys.
152
138
## Rotate file
153
139
154
140
The signed portion of a `rotate` file is as follows (there's also a
155
-
signatures wrapper as in tuf spec, not shown here):
141
+
signatures wrapper as in the TUF specification, not shown here):
156
142
157
143
```python
158
144
{
@@ -162,12 +148,12 @@ signatures wrapper as in tuf spec, not shown here):
162
148
"keys" : {
163
149
KEYID : KEY
164
150
, ... } ,
165
-
"threshold" : THRESHOLD }
151
+
"threshold" : THRESHOLD
166
152
}
167
153
```
168
154
169
155
Where ROLE, KEYID, KEY, and THRESHOLD are as defined in the original
170
-
tuf spec. The value of ROLE has to be the same as the role for the
156
+
tuf specification. The value of ROLE has to be the same as the role for the
171
157
delegation. The value of THRESHOLD is its new value. VERSION is
172
158
the integer version number of rotate files for this role. Version
173
159
numbers MUST increase by exactly 1 from the previous rotate file for
@@ -210,6 +196,8 @@ old rotate files for the old role should be deleted and removed from snapshot on
210
196
the next snapshot key rotation. The client will determine the correct rotate file for the new role
211
197
by starting from VERSION 1.
212
198
199
+
The repository SHOULD set a limit to the number of rotate files per role. This limit should be clear to all key holders (for example, it could be in repository documentation or added to root metadata). Once this number of rotate files is reached, the repository will reject rotations for this role and the delegator should create a new delegation to a new role.
200
+
213
201
## Client workflow
214
202
215
203
A client who wants to install foo now fetches Alice's targets file and will
@@ -219,16 +207,13 @@ The client will then look for all files that begin with `rotate/foo.rotate` in
219
207
the snapshot metadata. The client will process these in version order (ie starting
220
208
with `rotate/foo.rotate.1`, then `rotate/foo.rotate.2` by first checking for this
221
209
version file in a local cache. The client will then fetch the rotate file from
222
-
remote. If the remote file is a rotation to null, and is signed with the currently
223
-
trusted keys, the client will halt the verification of this metadata and act as if
224
-
it is unverified when continuing the update process (and look for metadata from
225
-
the next role in the pre-order depth-first search). Otherwise, the client should
210
+
remote. The client should then
226
211
ensure that the cached file is identical to the remote version. The client will
227
212
then verify the rotate file using the currently trusted public key(s) for this role.
228
213
If a rotate
229
214
file is successfully verified, the client will update the set of trusted keys for
230
-
this role to be the set listed in the rotate files. If key data is missing
231
-
or there is a rotation to null, the targets file is invalid and the client will
215
+
this role to be the set listed in the rotate files. If key data is missing,
216
+
the targets file is invalid and the client will
232
217
proceed with the update process as if verification for this role failed (by moving
233
218
on to another trusted role for this target, or reporting an error to the user).
234
219
@@ -292,20 +277,6 @@ foo.rotate.2 is created, which contains the existing keyids as well as
292
277
Evelyn's public key, and a threshold value of 3. This
293
278
is signed with at least 2 keys from the current set of keyids.
294
279
295
-
## Rotation to Null
296
-
297
-
Clients need to check for rotations to a null key, and any delegation pointing
298
-
to a rotation to a null key is invalid. The null key is a hard coded value used across
299
-
tuf implementations. This enables a role to explicitly revoke their
300
-
own key(s) by introducing a rotation to null.
301
-
302
-
**Prioritizing Self Revocation**
303
-
Rotation files are immutable unless replaced with a revocation (rotate
304
-
to null). This is the only case in which they can be replaced or
305
-
modified. If a client wants to rotate to a different
306
-
key, without having access to their currently delegated private key,
307
-
this requires a key revocation by the delegating metadata.
308
-
309
280
Rotations which do not have any entry point anymore (the delegation they
310
281
stem from has can been replaced with new keys) can be
311
282
safely removed from the repository. If the delegation of foo is
@@ -325,7 +296,7 @@ The interaction between the Fulcio TAP and this TAP may impact the security
325
296
considerations in this TAP. If the Fulcio server or OIDC issuer is compromised,
326
297
an attacker could gain control over all TUF roles controlled by that entity.
327
298
If this happens, the attacker could use TAP 8 to create large-scale rotations
328
-
to null to perform a denial of service. However, this attack can be safely
299
+
to perform a denial of service. However, this attack can be safely
329
300
recovered from using the delegator to replace all effected keys. This is
330
301
especially effective if the top-level targets is controlled by offline keys.
331
302
For this reason, we recommend that both root and top-level targets are
@@ -345,31 +316,30 @@ provide a simple mechanism for extending and shrinking project membership
345
316
without an individual with elevated privileges, but based
346
317
on a threshold of signatures.
347
318
348
-
Clients need to take care to check for rotation to a null key (rotate
349
-
files that contain a null key). This shall be handled in the
350
-
same manner as an invalid metadata signature on by the role possessing
351
-
the key. The role will be invalid until it is re-delegated to with a new key.
352
-
Clients MUST use snapshot metadata to ensure that they recieve all rotate files
319
+
Clients MUST use snapshot metadata to ensure that they receive all rotate files
353
320
in the chain.
354
321
355
-
Intentionally rotating to null enables a repository, a
356
-
project, and individuals to explicitly revoke their key material
357
-
themselves. An individual whose key is compromised can introduce
358
-
a rotation to null, and all delegations to them will be invalid.
359
-
360
322
For mitigation of private key compromises, rotation can be used if and
361
323
only if it can be assured that the legitimate holder is faster (at the
362
324
snapshot service, and/or at the client) than the attacker who got
363
325
control over the private key. Because this is hard to achieve, it is
364
326
recommended for proper mitigation that the delegation itself is changed from
365
327
the compromised key to a new key as soon as possible. Key revocation using
366
-
rotation defined in this TAP can be used as a stop-gap for delegations made
328
+
rotation defined in TAP 20 can be used as a stop-gap for delegations made
367
329
by offline keys that may take some time to update.
368
330
369
331
As a general note, this TAP only extends the possibilities of a target,
370
332
but the delegation mechanism is still in place - i.e. a key higher up
371
333
in the delegation can always revoke / modify the delegation itself.
372
334
335
+
A key holder or attacker could upload a large number of rotate files to DoS the
336
+
role or repository. This is similar to an existing attack where an attacker
337
+
with access to a private key can upload several different versions of the same
338
+
metadata file. To mitigate this attack on rotations, the repository should
339
+
set a limit on the number of rotate files per role. If a role needs to change
340
+
more than this limit, the delegator must re-delegate to a new role, re-setting
341
+
any rotations.
342
+
373
343
Baton - Baton: Certificate Agility for Android’s Decentralized Signing
0 commit comments