First, I just want to say thank you for taking your personal time to put this project out on the Internet for anyone to use. This project is particularly important because it helps harden against supply chain attacks and is a layer in making software secure.
I was perusing the code base, to figure out where the default key map is obtained from.
I came to a realization: a downloaded key map is essentially delegating trust of individual artifacts to a third-party. Duh. The nice thing is about a downloaded key map is revocation is quite fast.
You know what this sounds like? Sort of like the PGP web of trust (which rightfully has a number of criticisms when it is used for encrypting messages).
I was thinking an interesting extension point for your plug-in might be to check PGP keys to see if they are themselves signed by a trusted third-party. This essentially becomes an alternative to using the key map in this plug-in.
So for any particular parent pom or project you could designate a master key. This key could be one you own or it could be a third-party… with this master key you go and sign all of the artifact signing keys. The plug-in then trust the artifact signing key if it is signed with the master key.
There are a couple of pitfalls that may need to be worked through:
One thing you’re plugging does very well is binding a particular key to a set of artifacts. if we were checking for a master key signature on an artifact signing key, we would need to know what artifact signing key is bound to the artifact. Maybe that could be a comment when the master key signs the artifact key? (stating I trust this key for this namespace)
The other thing you’re plugging does particularly well is key revocation very quickly by simply removing it from the trusted key map. This behavior could be replicated with a master signing key by refreshing it from a key server and looking for revocations.
Anyway, I know this has been long, but I wanted to put the idea down and open it for discussion, even if it might be years, if ever, it is implemented.
First, I just want to say thank you for taking your personal time to put this project out on the Internet for anyone to use. This project is particularly important because it helps harden against supply chain attacks and is a layer in making software secure.
I was perusing the code base, to figure out where the default key map is obtained from.
I came to a realization: a downloaded key map is essentially delegating trust of individual artifacts to a third-party. Duh. The nice thing is about a downloaded key map is revocation is quite fast.
You know what this sounds like? Sort of like the PGP web of trust (which rightfully has a number of criticisms when it is used for encrypting messages).
I was thinking an interesting extension point for your plug-in might be to check PGP keys to see if they are themselves signed by a trusted third-party. This essentially becomes an alternative to using the key map in this plug-in.
So for any particular parent pom or project you could designate a master key. This key could be one you own or it could be a third-party… with this master key you go and sign all of the artifact signing keys. The plug-in then trust the artifact signing key if it is signed with the master key.
There are a couple of pitfalls that may need to be worked through:
One thing you’re plugging does very well is binding a particular key to a set of artifacts. if we were checking for a master key signature on an artifact signing key, we would need to know what artifact signing key is bound to the artifact. Maybe that could be a comment when the master key signs the artifact key? (stating I trust this key for this namespace)
The other thing you’re plugging does particularly well is key revocation very quickly by simply removing it from the trusted key map. This behavior could be replicated with a master signing key by refreshing it from a key server and looking for revocations.
Anyway, I know this has been long, but I wanted to put the idea down and open it for discussion, even if it might be years, if ever, it is implemented.
Thank you again