signing_key_revocation.mdwn 10.6 KB
Newer Older
1
2
3
4
5
6
7
8
[[!meta title="Revocation of the Tails signing key"]]

This document proposes a mechanism for the distribution and activation of
the revocation certificate of the Tails signing key.

Goals
=====

sajolida's avatar
Nitpick    
sajolida committed
9
Covered by the current proposal:
10

sajolida's avatar
sajolida committed
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
- Prevent any single individual from revoking our signing key.

- Allow a coalition of people from tails@boum.org to revoke our signing key
  in case most of the people from tails@boum.org become unavailable.

- Allow a coalition of people, not necessarily from tails@boum.org, to
  revoke our signing key in case everybody or almost everybody from
  tails@boum.org becomes unavailable.

- Make it hard for a coalition of people not from tails@boum.org to revoke
  our signing key unless everybody or almost everybody from tails@boum.org
  becomes unavailable.

- People not from tails@boum.org shouldn't know how the shares are spread
  and who has them.

- People in possession of a share of the revocation certificate
  of the signing key should have instructions on how to use it if needed.
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79

Groups
======

We define four complementary groups of trusted people:

  - Group A: people from tails@boum.org themselves
  - Group B
  - Group C
  - Group D

All these people should have an OpenPGP key and understand what
a revocation certificate is.

Cryptographic shares
====================

We generate a revocation certificate of the signing key and split it
into a number of cryptographic shares, using for example Shamir's secret
sharing scheme implemented by `gfshare`.

The following combinations of people could get together and reassemble their
shares to reconstruct a complete revocation certificate:

  - Three people from tails@boum.org: A{3}
  - Two people from tails@boum.org and one person not from tails@boum.org: A{2}+(B|C|D)
  - One person from tails@boum.org, and two people not from tails@boum.org but from two different groups: A+(B|C|D){2}
  - Three people not from tails@boum.org but from three different groups: (B+C+D){3}

We generate these shares:

  - N shares, one for each person from tails@boum.org
  - 1 share for people in group B
  - 1 share for people in group C
  - 1 share for people in group D

Who knows what
==============

  - People from tails@boum.org know the composition of each group
  - People not from tails@boum.org:
    - Are explained in which circumstances they should revoke the signing key
    - Are told to write to a certain contact email address if they decide to revoke the signing key
    - Are told that they need three different shares to reassemble the revocation certificate

Infrastructure
==============

  - Everybody who owns a share is subscribed to a mailing list.
  - This mailing list is hosted on a trusted server different from boum.org to
    be more resilient than our usual communication channels.
sajolida's avatar
sajolida committed
80
81
  - Someone hosting the mailing list is part of group B, C, or D so they
    can ensure that the list keeps working even if it never used.
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106

Changing the members of the groups B, C, or D
=============================================

To add someone to a given group:

  - Request someone from that group to send her share to the new
    person in the group.

To remove someone from a given group:

  - Send new shares to everybody except to the person who is being removed.
  - Request everybody to delete their previous share and track this.
    Once everybody in 2 groups amongst B, C, or D have deleted their share, it becomes
    impossible for them to reassemble the revocation certificate with the previous
    set of shares.
  - Let's hope that this doesn't happen very often :)

Expiry
======

There is no expiry date on revocation certificates. One way of
cancelling the revocation power is to destroy all copies of shares of 2
groups amongst B, C, or D.

107
108
<a id="invitation"></a>

sajolida's avatar
sajolida committed
109
110
Invitation email
================
111
112

<pre>
sajolida's avatar
sajolida committed
113
114
Subject: distribution

115
116
117
118
119
120
121
122
123
124
125
126
127
128
Hi,

We want to propose you to be part of a distributed mechanism for the
revocation certificate of the Tails signing key.

The idea is to distribute cryptographic shares of this revocation
certificate to people that we trust. These cryptographic shares can be
put together to reassemble the revocation certificate and revoke the
Tails signing key. This may be needed in case something really bad
happens to us and we are not able to do the revocation ourselves.

Note: In all this document, 'us' refers to the set of people subscribed
to tails@boum.org which is a Schleuder mailing list.

sajolida's avatar
sajolida committed
129
130
131
132
133
134
You can read a complete description of the distribution mechanism on:

https://tails.boum.org/doc/about/openpgp_keys/signing_key_revocation.

The recipe is public and the only secret component is the list of people
who are in possession of the cryptographic material.
135
136
137

We are proposing this to you because we trust in both your technical
abilities to store your share in a safe place and manipulate it as
sajolida's avatar
sajolida committed
138
required. But also because we trust you as a human being to make
sajolida's avatar
sajolida committed
139
informed judgment on when to use your share and act only in the
140
141
142
143
interest of Tails.

The bad things that could happen if the mechanism fails are:

sajolida's avatar
sajolida committed
144
A. The signing key is not revoked when it should be. This could allow
145
possible attackers to distribute malicious Tails images or publish
146
147
148
malicious information on our name.

B. The signing key is revoked when it should not have been. This would
149
prevent people from verifying our images with OpenPGP until we
150
publish a new signing key and build trust in it.
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168

Distribution of the shares
==========================

Each person from tails@boum.org, group A, has a *different* share, A1,
A2, ..., An.

On top of this, we defined three complementary groups, B, C, and D of
trusted people who have a close relationship with Tails but different
interests and different access to information about us. You are part of
one of these groups.

Everybody in group B has an *identical* share B.

Everybody in group C has an *identical* share C.

Everybody in group D has an *identical* share D.

sajolida's avatar
sajolida committed
169
Three different shares are needed to reassemble the revocation
170
171
172
173
174
175
176
177
certificate. For example, shares A1, A2, and A3, or shares A1, B, and C.

How to store your share
=======================

Please keep your share in an encrypted storage and make it as hard as
you can for untrusted people to get a copy of it.

sajolida's avatar
sajolida committed
178
179
You can rename the file as long as you keep the number in the file name
of your share as it is needed to use the share.
180
181
182
183

Feel free to back up the file but we might also request you to delete it
at some point and you should be able to know whether you still have a
copy of it or not. It is all-right to lose your share as long as you
sajolida's avatar
Rewrap    
sajolida committed
184
tell us that you have lost it. It is actually worse to still have a copy
sajolida's avatar
sajolida committed
185
of the share "somewhere" while thinking that you don't, than to lose
186
187
188
189
190
191
192
193
it by mistake.

Don't hesitate to ask us if you need clarification on the technical
aspects of this.

When to use your share
======================

194
Everybody in possession of a share is subscribed to a mailing list.
195
196
197
198
199
200
201

If someone in possession of a share gets to learn about a very bad event
that happened to many of us and really thinks that we are not capable of
revoking the Tails signing key ourselves anymore, then this person
should write to the mailing list explaining why she thinks that the
signing key needs to be revoked.

202
203
204
205
206
People on the list who are also convinced that the signing key should be
revoked share their shares until they have 3 different shares. Then they
can assemble the revocation certificate and publish it to revoke the
signing key.

207
208
209
210
211
212
213
Yes, there is no mathematically proven algorithm for this and here is
where your judgement as a human being is needed. The description of the
very bad event should be checked or backed by enough people to be
plausible.

Keep in mind that we could still revoke the signing key ourselves as
long as three of us are able to communicate and gather their shares. So
sajolida's avatar
sajolida committed
214
215
we only need your help if no more than two of us are still able to
communicate.
216

sajolida's avatar
Rewrap    
sajolida committed
217
218
Unless you really want to start the key revocation process, do not write
to this mailing list.
219
220
221
222
223
224
225
226
227
228

Further communications
======================

In case we need to communicate with you about this revocation mechanism
in the future, we will always do it with messages signed by the Tails
signing key itself. We might do so for example to:

  - Ask you to send your share to a new member of your group.

sajolida's avatar
sajolida committed
229
  - Ask you to delete your share. This could be needed to cancel the
230
231
232
233
    power of others people's share: as long as enough of you delete
    their shares, the few people that might not delete them would end up
    with unusable shares.

sajolida's avatar
sajolida committed
234
235
So, can we count on you for this?

236
237
238
If you answer positively, we will send you your share and subscribe you
to the mailing list.

sajolida's avatar
sajolida committed
239
Thanks, and may the force be with you!
240
</pre>
241
242
243
244
245
246
247

Keeping the members of the groups B, C, and D up-to-date
========================================================

At least every 2 years, we make sure that the mechanism still works:

1. We review internally the list of members of each group and decide
intrigeri's avatar
intrigeri committed
248
   possible additions to, and removals from, each group.
249

intrigeri's avatar
intrigeri committed
250
251
1. We write to every individual member of each group to ask them to check
   that they still have their share and the number in the file name.
252
253
254
255
256
257
258
259
260
261

<pre>
Subject: update

Hi,

Some years ago, you agreed to be part of a distributed mechanism for the
revocation certificate of the Tails signing key and we sent you a
cryptographic share of this revocation certificate.

intrigeri's avatar
intrigeri committed
262
Today, we are asking you to:
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292

1. Verify that this email is signed by the Tails signing key.

2. Confirm whether you still have in your possession:

   - Your share of the revocation certificate.

     The file was named tails-signing-key-revocation-cert.asc.NNN, where
     NNN is a 3 digit number.

   - The number NNN in the file name of your share.

For the record, the address of the mailing list that you should write to
in case you want to assemble the revocation certificate is:

    address@example.org

We are also copying below a summary of the mechanism.

XXX: Copy the invitation email:
XXX: - Include "You can read a complete description of the distribution mechanism on:"
XXX: - Stop before "So, can we count on you for this?"
</pre>

### To add new members

1. Send the [[invitation email|signing_key_revocation#invitation]] to
   the new member.

1. If they agree, ask someone else from the same group to send them
intrigeri's avatar
intrigeri committed
293
   their share of the key.
294

intrigeri's avatar
intrigeri committed
295
296
   Unfortunately, this reveals some membership information to these two
   people.
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315

1. Ask the new member to confirm the reception of their share.

<pre>
Subject: sharing

Hi,

We asked someone else from your group to send you a copy of your share.

Please tell us once you receive it.

The address of the mailing list that you should write to in case you
want to assemble the revocation certificate is:

    address@example.org

Thanks, and may the force be with you!
</pre>