GPG functionality should support verification via signature
Description
Today, the only means of getting the coveted green Verified
sticker that we all crave is by ensuring our GitLab email address is present on our public key. I posit that this is not at all desirable for a couple of reasons.
Reason 1 - Security
Performing a string comparison of the two email addresses is a great first step to demonstrate the feature, but it's not really the sort of production solution we need. The users email address, while verified by GitLab, is only a "soft" verification - technical security
if you will. Whereas, the introduction of digital signatures enables us to up our game by entering into the world of "hard" verification - cryptographic security
. technical security
is easy to bypass and it's often hamstrung by it's dimwitted cousin, process-based security
. cryptographic security
is much more difficult to circumvent.
Of course, it's always a moving goal post, we rarely find ourselves in a position where we can offer perfect cryptographic security
without relying on a bit of technical security
- but we can always do better. This is one of those places.
By requesting a signed message from the possessor of the uploaded public key, we gain assurance of two things.
- The user uploading the key has been authenticated by a
technical security
measure. -
The key holder is solidly aware that they are binding their GPG public key to the given GitLab user account and proves it using
cryptographic security
.
Reason 2 - Privacy
Personally, I do not place my email address in my public keys. It's an act of preference, since I share my public keys on the Internet and the Internet is full of people who like to send me advertisements for a variety of goods as well as malware of all sorts. I choose to maintain a shred of privacy by asserting my email address through signature to those that I trust with my email address, not everyone. GitLab is forcing me to include my email address in my public key to obtain the coveted green verified
sticker
Proposal
I am rather delighted that GitLab has taken initiative with GPG support. This feature, though popular with the cipher-punk community, is a major win for large enterprises as we move to shift them off of technical security
and process-based security
onto strong cryptographic security
.
I propose that GitLab challenge the upload of any PGP public key with a message that must be signed with the associated key (or one of it's non-revoked sub-keys). This message should include at a minimum:
- A friendly message explaining, in an understandable way, what the signer is signing.
- A fully qualified representation of the user and the instance of GitLab (eg.
mmaguigan
@my-on-premise-gitlab.widgets.example.com
) - The date of challenge in combined date and time ISO-8601 UTC.
- The date of challenge expiration in combined date and time ISO-8601 UTC.
- A challenge nonce associated with the challenge.
- The GPG fingerprint of the public key being challenged.
- [maybe] a counter indicating the number of times the user has added a GPG signature to their account.
- Not entirely convinced this one is justified.
An example of another product performing such assertions is keybase.io