search

internetstandards / Internet.nl

Internet standards compliance test suite
https://internet.nl
177 stars 37 forks source link

Place the PGP-key in a standardized location for security.txt #853

Open WKobes opened 1 year ago

WKobes commented 1 year ago

Currently, the security.txt defines the PGP key to be at: Encryption: https://internet.nl/disclosure/

It would be better to point to the key for automated reporting directly.

There are three possibilities:

  1. An upcoming RFC (still in draft) to publish PGP keys in the .well-known directory, preferably on its own subdomain. See https://datatracker.ietf.org/doc/draft-koch-openpgp-webkey-service/.
  2. Experimental RFC 7929 where the key is published in a dedicated DNS Resource Record. See https://datatracker.ietf.org/doc/html/rfc7929#page-6.
  3. Use the openpgp4fpr URI scheme. See https://www.iana.org/assignments/uri-schemes/prov/openpgp4fpr.

2 and 3 are listed as examples in https://datatracker.ietf.org/doc/html/rfc9116#section-2.5.4 1 seems the easiest to implement

Seirdy commented 1 year ago

Web Key Directory is currently has the most adoption. It's used extensively in the Ariadne Identity Specification and is the preferred key-fetching mechanism for PGP-encrypted in implementations such as GnuPG.

That being said, I'd also be interested in distribution mechanisms that aren't intrinsically tied to PGP to facilitate a future migration plan to adopt more modern or better-designed keys. SSH keys and SSHFP records come to mind; they can be used to encrypt or sign arbitrary data now.

bwbroersma commented 1 year ago

The direct method seems pretty easy, see OpenPGP Web Key Directory - section 3.1. Serve an empty /.well-known/openpgpkey/policy file, see OpenPGP Web Key Directory - section 4.5:

A site supporting the Web Key Directory MUST serve this file; it is sufficient if that file has a zero length. Clients may use this file to check for Web Key Directory support.

The Content-Type SHOULD be set to "application/octet-stream" by inserting this here in the apache.conf:

<Location "/.well-known/openpgpkey/hu/">
    SetHandler None
    Require all granted
    <IfModule mod_mime.c>
        ForceType application/octet-stream
    </IfModule>
</Location>

Optionally include this for Cross-Origin Resource Sharing (CORS) in the above block:

    <IfModule mod_headers.c>
        Header always set Access-Control-Allow-Origin "*"
    </IfModule>

Of course the IfModule tags can be removed. See https://github.com/internetstandards/Internet.nl/issues/930#issuecomment-1492030855 for the correct URL's and #932 for my proposed security.txt with unique values for these 3 fields.

bwbroersma commented 1 year ago

The quick win for now (without Apache config changes) is described in https://github.com/internetstandards/Internet.nl/issues/932#issuecomment-1513237935, just link to the plain PGP key:

# Our OpenPGP key
Encryption: https://internet.nl/static/question@internet.nl_0x45028563.asc