gnupg 'signing server'? Looking for advice on key management/security

Alexander Leidinger Alexander at Leidinger.net
Mon Nov 13 09:04:26 CET 2023 

Am 2023-11-13 07:09, schrieb Stephan Verbücheln via Gnupg-users:
> On Sun, 2023-11-12 at 19:46 -0600, Jacob Bachmeyer wrote:
>> A PIN does not solve the problem, since the PIN is entered on
>> the device, which could be backdoored to store the PIN
> 
> That's why card readers with pinpads were invented, and GnuPG also
> supports that:
> https://www.gnupg.org/howtos/card-howto/en/ch02s02.html
> 
> Other ideas to improve isolation:
> * If you trust your Linux distribution in general but not every single
> desktop app, you can use a separate Linux user for sensitive
> activities.
> * You can use GnuPG Agent Forwarding via SSH to sign a file on a less
> trusted server from a more trusted client. This way your PIN is entered
> on the more trusted client machine.

What can you sign?
Non-complete answer:
  - git commits
  - files
  - emails

How can you sign emails?
Non-complete answer:
  - webmail interface
  - MUA with pgp support

 From which systems can you use such email signatures?
Non-complete answer:
  - Android
  - iOS
  - Windows
  - MacOS
  - Linux
  - FreeBSD
  - your TV (e.g. if it has a web browser)

Yubikey or similar and agent forwarding can't be used when I am not at 
home and access my webmail interface (I want to have a big screen for 
certain emails), typically this is not supported by a webmail interface.
Agent forwarding can't be used for this use case too.
I'm interested to hear about a Android App which supports yubikeys, but 
this is curiosity, as it doesn't help with the above case of a webmail 
interface.

Right now, there is no solution which allows an android app, a webmail 
interface from the work-PC and a MUA or webmail interface on/from your 
PC at home (no matter which OS) to use _1_ central location of your 
private key (so far you may be able to have it stored in your webmail 
solution, and on your yubikey for apps/git/files but the last part 
depends on something which is able to forward it to remote locations, 
which doesn't work if you need to use a web-interface based ssh gateway 
solution instead of direct ssh access). Feel free to prove me wrong, I 
would love to have a solution for this.

Note, while looking up something related, I found an old German overview 
about the email-apps situation from the authors of GPG for the German 
ministry of information security:
https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Studien/OpenPGP/openpgpandroid.pdf?__blob=publicationFile&v=2
I have fast-read some parts and it looks like the situation hasn't 
really changed in the last 8 years.

If you think about it (I just invested 1 minute), you would need:
  - some server with your private key which is reachable from everywhere
  - a safe authentication possibility to it
  - a remote signing protocol
  - support in all apps/MUAs/...

One could argue, that you put OIDC in front of gnupg-agent on a network 
socket and you have covered the 3 first items (but I would bet it is not 
as simple as that). Then it would be simply support in all the 
apps/MUAs/... (webmail interfaces which use gnupg-agent already, would 
be simple to convert if gnupg-agent would have a proxy feature which 
would connect to the remote agent).

Bye,
Alexander.

-- 
http://www.Leidinger.net Alexander at Leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.org    netchild at FreeBSD.org  : PGP 0x8F31830F9F2772BF
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20231113/6b9e874c/attachment.sig>

More information about the Gnupg-users mailing list