-
-
Notifications
You must be signed in to change notification settings - Fork 707
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement decentralized GPG login #220
Comments
As a self-hoster, this is the holy grail. Well, ssh or gpg keys, I don't really care. Manually adding a few keys to a key ring is fine for self-hosting. Please just get the mechanism there first and then worry about automating it. No one has had a good idea about the latter, ever, so far as I know. |
Implementing such a feature would be really awesome for self-hosting apps. A cool project to take a look at that has tackled the idea is monkeysphere, though their browser plugin only supports Firefox for the time being. |
That's great that monkeysphere has been looking into this! Thanks for |
another options to allow personal certificates, and be able to install a CA certificate. (xca can be used to issue/revoke certificates ..) |
IMHO that would be something for another issue :-) |
Unsure whether this should be an entirely different ticket, but for your consideration: IndieAuth! It is not a very widely used service, but I think it has great potential. |
@paulproteus By GPG login do you mean via some sort of challenge/response mechanism? Like if I want to login as user@domain.com, Sandstorm grabs my GPG pubkey from Keybase, encrypts a challenge to me, I decrypt it, then I paste that into a web form (or paste in the answer encrypted with the server's pubkey) to log in? |
why, you obtain them from a CA... If someone creates a a private CA and signs through that, is just mean the Public key of the Selfowned CA must be in the trusted store on the "server", or in the path the "Service" uses. This is equivalent to Login by mail adres.... where the mail adres is signed by a Trusted CA and the trusted CA is known in the trusted CA list. The same certificate can be used to sign or encrypt mail (S/MIME). XCA is a good tool to manage a private CA..., http://xca.sourceforge.net |
Explanation of this from @kentonv in this post on sandstorm-dev:
|
And through the fingerprint & id the remainder of info & web of trust can be checked. (who trusts who, who cosigned the GPG and to what level, including mail addresses). |
Is there any work on this actually happening? With the fingerprint-as-identity solution, I'm envisioning part of a sign-in page that looks something like:
|
@zenhack Relevant: https://sandstorm.io/news/2015-05-01-is-that-ascii-or-protobuf Though probably the answer to that problem here is to say: "You need to use a signing key that you only use for signing natural language text." Another thing to consider: If we used decryption rather than signing, then we could actually store a symmetric key encrypted to your public key, and encrypt all your data on the server with that symmetric key, such that there's no way for Sandstorm to access your data at rest (only when you log in). However, there is a risk that users will unwittingly turn into a decryption oracle for their Sandstorm server. Otherwise, yes, that's more or less what I'd like to implement. But no, there is no work happening on this currently -- too much other stuff to do. If you'd like to work on it, that'd be cool! |
Ok, yeah, wow. My immediate thought is "how many developers can I find in the wild who sign packages, git tags and emails with the same key?" "You need to use a signing key that you only use for signing natural language text" sounds more much like "You should use a different password for every site" than I'm comfortable with -- my bet is many people won't. Doesn't diminish the importance of the advice (in either case). I will need to think about this. |
Maybe the thing to do is just document that pitfall right on the login page itself; might actually raise some awareness of the issue. Perhaps as a mitigating measure we should look at other popular things GPG is used to sign; distro packages, git tags, whatever monkey sphere does... and craft the string format to avoid collisions with those. This way, an attacker would at least need to make the string look different from what the user usually sees, even if it otherwise seems innocuous. |
I'm inclined to say that GPG login should probably be attached to an email identity rather than a separate type of identity for a couple of reasons:
This proposal does have its downsides - my GPG key id is stable in a way email addresses added/removed might not be, and multiple emails associated with the same GPG key would wind up being different identities. I think these drawbacks are less problematic than the UX issues described above, and that in practice, very few users will be impacted. I'd like to hear what others think, though! A possible setup flow would be:
Then, future emails (including login token emails) delivered to that email address would be encrypted to the public key on file. Thoughts? |
Question: How do email notifications work with github login? Observation: what you propose is basically just the existing email login I don't know that I think the UX is going to be much worse than the "go I do think this is fairly niche. IIRC correctly, this issue dates back |
Good question! GitHub provides a set of verified email addresses, and we trust those. You can see the email addresses you've proven to Sandstorm at e.g. https://oasis.sandstorm.io/account . If you haven't proven any email address to GitHub, then it'll just be your GitHub noreply address, and that is indeed sad UX because then you won't have any way to receive notifications from the server, and probably won't know that you're missing anything. Perhaps that should be filed as a separate bug, but I don't think I know very many GitHub users that don't have even a single email address confirmed, so hopefully it's not too serious.
Yep, good summary. We could also potentially encrypt any other email intended for the user with the public key on file.
A fair point.
Hmm, interesting observation. I've got two answers for "what unsolved problem does this potentially solve" (and would welcome hearing others I've missed):
I suspect that the Tor folks would still like it if they could make their email login codes and sharing links not be leaked to the NSA every time they try to login, since it's known from the XKeyscore rules that
There's also the "I want something even higher-assurance authentication than Google or GitHub or email provide, and I believe I am very competent at managing secrets" workflow. That set of users are probably served similarly well by some flavor of 2FA (which I have ideas for and am thinking about how I might also support U2F). In a sense, if GPG key is not your "identity", it is instead one type of "second factor" that you could use to prove ownership of an account. Either of these are problems that I think are still worth solving, and which GPG might help with in some way. That said, especially for "higher-assurance-user-authentication", I think we can build a thing which is better at protecting more users if we eschew GPG than if we use it. |
I think those are good use cases. Perhaps the PGP thing could actually be orthoginal to the login type; essentially a "when you send me email, encrypt it" checkbox. Might be beter than the proliferation of more login options (esp. with things that are somewhat niche); I think this could be fairly non-intrusive. Random thought: Github semi-recently provided the ability to register public keys with your account. |
Hmm, it would be interesting to be able to tell Sandstorm to PGP-encrypt all email sent to my address. For that reason alone I'd say that focusing on adding PGP as a modifier to existing identities, rather than a new kind of identity, makes sense. I still do think that having an identity type that is actually a public key would be useful. Arguably, having a verified email address is not necessary if we also deliver all emails as bell-menu notifications. Public-key-identity users could be told that they will need to log in regularly to see notifications. But perhaps implementing PGP-encrypted email first makes sense. |
Hello, Ahmed DAOUDI . |
So, this issue isn't really related to your problem -- standard email login should work fine. Also, for email login you don't actually need the server to be able to receive email, only send it. How have you configured mail on your sandstorm box? Admin panel -> email configuration. |
Hello @zenhack I don't know what to put in the "SMTP HOST" For the "PORT" I put "25", I also tried with "2525" as seen in a forum but it does not work. The fields "Username (optional)" and "Password (optional)" are left blank. I would like to be able to send emails to other users, and they can create an account with a different address than Gmail. I have a 500 internal server error when I try to send out the invitation, and when I copy the registration link and try to force it to register (without going through the mail reception, can not create an account). Do you have any idea where my problem will come from? Thank you ... Ahmed DAOUDI. |
@DEVAHMEDDAOUDI, I think you're misunderstanding how that panel works. You need an SMTP server you can use to send email, those settings specify how to connect to it (port 25 is for receiving email, which isn't relevant to sending login emails). If you don't otherwise have something mailgun isn't a bad option. Once you've got that set up, you'll need to input the information provided by mailgun into the admin panel; for mailgun you'd put in smtp.mailgun.org as the host and port 587 as the port, and you'll need to get the username/password/email address from them. |
Any updates on this? It seems like two separate issues are being discussed: using a PGP key pair as an identity, and having the server encrypt all email to you with PGP. I'd love to see both of these! |
@jonpavelich, I don't believe anything has changed on this front, no. |
Posting the idea it's possible via crypto coin accounts to have a crypto identity and a mailbox for it (Airdrop). Using something like DIDs or webfinger where it's a URI with a well known folder for a specific identity at a home server is possible too. |
Right now, self-hosters must choose between Google auth and GitHub auth. This is sub-optimal for people who would prefer to be entirely self-reliant.
This issue tracks work required to deliver the first version of GPG login so that this is a serious option.
The text was updated successfully, but these errors were encountered: