-
Notifications
You must be signed in to change notification settings - Fork 550
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
If --cert-email
is provided, --cert-oidc-provider
should be required (verification)
#1947
Comments
In lock step with this, we should make sure that policy-controller also behaves identically. For example here: We should then enforce that you must specify both Issuer and Subject. |
The only thing I'll argue with is the "okay" part 🙂 -- IMO, it's not "okay" until there's a clearer (and public) threat model explaining what verification actually means. My intuition (which was apparently wrong!) was that verification implies either strong ownership or strong attestation for an email or other identity, i.e. that the OIDC provider performed their own verification for that identity. My intuition was then that Sigstore "guaranteed" that property by only trusting a handful of "high-quality" OIDC providers that actually preserve that property, e.g. Google, MS, and GitHub. (Overall, I agree with you, if the goal is to eventually support "crappy" OIDC providers. And maybe it is! But then we should be as explicit as possible that the "identity" notion we use is "identity modulo consumer-trusted provider," not "identity.") |
Yes, this is a great point. We need to be crystal-clear on the semantics of whatever we're trying to provide.
Your intuition is currently correct! At this moment, we are only planning to support OIDC providers that meet a list of requirements like what you're describing: sigstore/fulcio#397 I personally have an outlook that I call "Fulcio maximalism": I want to minimize what we're claiming when Fulcio issues a certificate: it is not true that something is secure because it is signed with a certificate that's in Fulcio, or because its signature is Rekor. But these certs/signatures, in combination with well-designed policies, can help verify artifacts. Then, we are free to add any OIDC provider we want (the "maximal" part). (We definitely have to do that in the order of (1) set expectations, and (2) relax entry criteria). Again, disclaimer: this is purely personal opinion. |
Yep, that is correct! And I actually just updated the list Zach included to mention that OIDC providers we allow should enforce an email challenge. But maybe a bug happens and it doesn't challenge ownership. Maybe there's some sequence of steps of account creation that can bypass the challenge. At this very moment, we don't have to require both flags, there's not an immediate risk due to how the production environment (Fulcio/Dex) is set up. I think we do need to encourage proper practices though. If we don't, and one day we add an OIDC provider that doesn't appropriately challenge email ownership, then we have at best a breaking change for clients (who will need to check both) or at worst a CVE. If we enforce both now(-ish), then we start pushing verification in the right direction. There's some UX questions around how to know what the right issuer is that we'll need to figure out first. Addendum (and a TODO for me to go investigate): I added a username issuer type to Fulcio for those who run their own OIDC providers but don't run their own mail server - The SAN for username-bound certificates will be |
Ouch - good points. Is it really the case that all three current Fulcio IdPs can vouch for arbitrary domains? GitHub, Google, and maybe Microsoft also? I'd think we don't want a threat model (for use of a naked email address as id) which would forever be just as awful as it is with the current global CA debacle, where everyone is vulnerable to attacks not just on the signer's chosen email provider, but also all IdPs. I think identities should be first-class objects, perhaps using some of the W3C approaches I've briefly noticed. I for one don't want to have to be vulnerable to repos, or who they say is authorized to produce an artifact, either. Isn't that one reason that PyPI is trying to leverage this work - to protect from a PyPI breach? And imagining that people or relying parties will move (email, IdP) pairs around, half of which is familiar and half of which is obscure and nearly arbitrary, seems unreasonable. So would it make sense to eliminate use of email addresses as ids, and switch to Decentralized Identifiers (DIDs) like SCITT apparently does? Something that people don't think they can muck with. And thus do away with use of naked email addresses or separate options like --cert-email? |
@znewman01 wrote about DIDs in https://blog.sigstore.dev/privacy-in-sigstore-57cac15af0d0 It's something we could consider at some point, but for ease of use with the current infrastructure, OIDC is the best that we've got currently. |
Google and MS are able to, for sure. I'm not sure about GitHub -- I think it can in the sense that it can generate OIDC tokens for the "primary" email address registered to the account, but the UX there is poor (users with professional/individual splits...) My 0.02c regarding the threat model: I'd personally like an ecosystem where anybody can assert that I've signed for an artifact with just my email address, my GitHub handle, or the repository slug + release tag. That requires a certain amount of IdP quality control (or maybe not, if we can establish some kind of "quality" policy/allowlist?), and IMO the transitive trust that comes with that is reasonable (a breach in Google or MS's OIDC provider would be far more catastrophic than just sigstore). But to get there, we have to draw the line around what sigstore will not protect against 🙂 |
I think there are a few key points that we agree on, and a few points of departure. Give me a little bit of time and I'll try to articulate those and possible paths forward. But for now, a tangent:
Not in-scope for this issue, but lots of interesting discussion here. This document, in particular the "Associating identities with packages" section, goes into some options. If you're curious, the OpenSSF has a "Securing Software Repos" working group that will be of interest (they communicate largely in the OpenSSF Slack, and meet every couple of weeks). There are a few other references that we can dig up if you ask in one of those venues. |
Okay, so some points of agreement:
The points of disagreement:
Okay, so where do we go from here? As I expected, this is a pretty contentious topic. It's definitely turning out to be bigger than a change to the behavior of one particular flag in
|
That's a really excellent summary, thank you!
Yeah, we need to hammer this out. Here's a use case that I'd like to pursue in PyPI: once we get more people signing their releases with
In the above scenario, people aren't doing very much interaction -- they're only visually scanning information that PyPI is monitoring and providing. I believe our plan is to ultimately do something similar for
Strong agree. I think we probably want to discourage people from just visually scanning emails (or other identities) and then manually confirming that the identity has done something resembling the signing they're expecting. They should be visually scanning a product of verification (modulo a policy, like above) instead.
No surprise, but I lean towards (ii) 🙂. In terms of the things that I'd like to apply Fulcio and Sigstore towards, which IdP performed the proof isn't too important as long as all of them as considered "reliable." For better or worst, I believe this comports with the average end-user's intuition for what Fulcio is really "doing" when it issues a cert for an email identity. Without that reliable/"high-quality" guarantee, it's less clear to me (although this may be a lack of understanding on my part!) what sigstore's security proposition to the broader packaging ecosystem is -- it's easy to see a scenario in which verification against the CT log is "diluted" or otherwise impaired because implementers don't know what constitutes a reasonable policy for their use case. I think we can foresee that use case and resultant policy for them, and potentially save them some hard mistakes in the future.
IMO, no, at least not until we flesh out why this might be a desirable property. For my part, I actually think that having third-party IdPs for an email identity can make explaining emails-as-identities a little easier to less technical folks: there's an intuitive sense in which multiple potential verifiers for a single email address actually strengthen the impression that a particular identity is real. As a contrived example: my nontechnical parents might not fully grok what it means for On the security/threat model side, I'm weakly confident that supporting multiple high-quality IdPs for a single identity does not pose a significant risk separate from the already latent risk of IdP compromise. I actually think there are security wins to be had in not trying to restrict the IdP to the "canonical" one for the identity: attempting to do so means inviting the possibility of exploitable confusion around IdP changes (e.g. custom email domain, but change in mail provider) and additional ecosystem configuration (making people configure their intended IdP via yet another DNS record or similar means?) (I strongly agree with the remaining points about not trying to determine a canonical IdP for each email!)
Sounds good to me! We can continue there; I'll post this on the issue just to tie a knot around my part of the conversation 🙂 (Once again: thank you for doing this excellent summary, and continuing to push this on! I'm very excited to hammer out Sigstore's (and Fulcio's) threat model, and this is a critical part of doing so.) |
FWIW, the latest release of |
Verification of the identity of the signer is a critical part of Sigstore verification. Otherwise, you are only verifying that there is some signature that is valid, instead of checking that the signature was generated by someone you trust. For more information, sigstore/cosign#2056 contains some discussion around why we want to require these flags, and sigstore/cosign#1947 for why we require both of these flags. An open question for you is if this specified identity (which came from the certificate) will change between releases. If so, how would you like users to know which identity signed a release?
@znewman01 Closing since #2056 is completed |
I frequently see a misconception that the
--cert-email
is sufficient to verify the authenticity of an artifact. However, it's possible that some crappy OIDC provider issues OIDC tokens containing any email—and that's okay!. The only thing that a Fulcio certificate attests to is: "at this time, a successful OIDC authentication to Sigstore happened, and here are the details." It doesn't claim "the party to whom I issued this certificate is in control of the email address in the certificate."So if a client wants to check that a certificate was issued to a particular party, they should be required to specify according to whom.
^ To be clear, the above is largely opinion but I am willing to fight you about it
CC @haydentherapper who agrees IIRC
The text was updated successfully, but these errors were encountered: