search

keybase / client

Keybase Go Library, Client, Service, OS X, iOS, Android, Electron
BSD 3-Clause "New" or "Revised" License
8.91k stars 1.23k forks source link

Changing PGP key keeps the old verification (with old PGP key) still valid #8984

Open andreagrandi opened 7 years ago

andreagrandi commented 7 years ago

Hi,

I'm not sure if it's a bug or not, but I've recently changed my PGP key (and also added a second one I use at work) and I've noticed that if I click on my website and GitHub/Gist proofs they still show the old validation, for example:

I hereby claim:

  * I am an admin of https://www.andreagrandi.it
  * I am andreagrandi (https://keybase.io/andreagrandi) on keybase.
  * I have a public key with fingerprint 7238 74F6 886D 5994 323F  1781 8CFB 47AD C384 F0CC

but that's the PGP id of my old key, not the ID of the current one. Keybase client doesn't refresh these information and show these proofs as still valid.

I can manually revoke and re-add these proofs, it's not a big deal for me, but other users may be tricked to think I have a certain number of proofs while instead they are related to the old PGP key.

Cheers

maxtaco commented 7 years ago

https://keybase.io/blog/keybase-new-key-model

andreagrandi commented 7 years ago

@maxtaco hi Max, thanks for your reply. I saw that page but either there is still something I don't understand (highly possible) or I didn't explain the problem in the proper way. I will try again.

From my understanding of Keybase, what makes an identity "safer" it's not the fact that you are "Jon Doe" with a certain PGP key attached, but the fact that you can verify the Keybase account using one or more social accounts.

So (I explain for other readers, I know you know already etc...) if it's possible to hack an account, an attacker should be able to hack my Twitter, Facebook, GitHub etc... accounts, to impersonate me.

The problem here is that if I'm able to change my PGP key and I don't need to verify myself again, my Keybase account (plus the access to any device I've added) is the single point of failure in the trust chain.

An attacker doesn't need to hack my Twitter and GitHub account. They just need to hack the Keybase account. All the existing proofs remain valid, even if the old PGP key used to sign them doesn't exist anymore in my Keybase account.

It's misleading that a user can click on my website proof and find a message signed with another PGP key that doesn't exist anymore (even if it's still saved in the Keybase history).

Thanks for taking your time to reply, cheers

junderw commented 7 years ago

That is how GPG works though.

The assumption is that once you revoke a key, any signatures AFTER the revocation are invalid. Signatures made BEFORE the revocation are always valid.

The revocation data as well as any signatures in GPG have the date included in the signature... so as long as the user is certain you were the sole owner of the PGP key at the point when the proof was signed, that's all they need to know.

Yes, if any device or paper key is compromised, your only option is to revoke the device before they create a new device using it. And if they do, revoke those devices as they appear. Although it would be much safer if you just revoke all keys and proofs and start over.

Currently, though, I would be less worried about a device being compromised and make sure you only log into the keybase web UI on a secured device.

Your keybase web UI login and password are all that's needed to revoke all keys and start over fresh. (old proofs are invalidated though)

andreagrandi commented 7 years ago

That is how GPG works though.

The assumption is that once you revoke a key, any signatures AFTER the revocation are invalid. Signatures made BEFORE the revocation are always valid.

I agree on this, but if PGP was safe enough where would it be the Keybase value of allowing multiple identity proofs?

Is it possible that I decide to remove one of my old keys and add a new one. It's exactly what I recently did when I changed my PGP key. But it's also possible that someone else does it, without needing to reconfirm all the other proofs.

Currently, though, I would be less worried about a device being compromised and make sure you only log into the keybase web UI on a secured device.

Your keybase web UI login and password are all that's needed to revoke all keys and start over fresh. (old proofs are invalidated though)

and this is another weak point: if only a username and password are needed, it means there is no 2 factor authentication on the web and it's an even weaker point.

Don't get me wrong: I think Keybase is a beautiful idea, I don't think it would need any drastic change. I just say that, personally, if a user wants to change their key, that's fine, but they would have to sign the proofs again. And I would add 2FA to the web interface (if it was a Django/Flask project I would personally implement this for you).

In any case, good work. I hope to see these features implemented some day.

Thanks again for your reply