Questo documento propone un meccanismo per la distribuzione e l'attivazione del certificato di revoca della chiave di firma Tails.

Obiettivi

Oggetto dell'attuale proposta:

  • Impedire a qualsiasi singolo individuo di revocare la nostra chiave di firma.

  • Allow a coalition of people from the Board to revoke our signing key in case most of the people from the Board become unavailable.

  • Allow a coalition of people, not necessarily from the Board, to revoke our signing key in case everybody or almost everybody from the Board becomes unavailable.

  • Make it hard for a coalition of people not from the Board to revoke our signing key unless everybody or almost everybody from the Board becomes unavailable.

  • People not from the Board shouldn't know how the shares are spread and who has them.

  • Le persone che possiedono una quota del certificato di revoca della chiave di firma dovrebbero essere istruite su come utilizzarla in caso di bisogno.

Gruppi

Definiamo quattro gruppi complementari di persone fidate:

  • Group A: people from the Board themselves
  • Gruppo B
  • Gruppo C
  • Gruppo D

Tutte queste persone devono avere una chiave OpenPGP e capire cosa sia un certificato di revoca.

Quote crittografiche

Generiamo un certificato di revoca della chiave di firma e lo suddividiamo in un numero di quote crittografiche, utilizzando per esempio lo schema Shamir's secret sharing, implementato da gfshare.

Le seguenti combinazioni di persone possono unirsi e riassemblare le loro quote per poter ricostruire un certificato di revoca completo:

  • Three people from the Board: A{3}
  • Two people from the Board and one person not from the Board: A{2}+(B|C|D)
  • One person from the Board, and two people not from the Board but from two different groups: A+(B|C|D){2}
  • Three people not from the Board but from three different groups: (B+C+D){3}

Generiamo queste quote:

  • N shares, one for each person from the Board
  • 1 quota per le persone del gruppo B
  • 1 quota per le persone del gruppo C
  • 1 quota per le persone del gruppo D

Chi sa che cosa

  • People from the Board know the composition of each group
  • People not from the Board:
    • Are explained in which circumstances they should revoke the signing key
    • Are told to write to a certain contact email address if they decide to revoke the signing key
    • Are told that they need three different shares to reassemble the revocation certificate

Infrastruttura

  • Tutti quelli che possiedono una quota sono iscritti a una mailing list.
  • Questa mailing list è hostata in un server fidato differente da boum.org, in modo che sia più resiliente rispetto ai nostri soliti canali di comunicazione.
  • Certe persone che hostano la mailing list fanno parte del gruppo B, C, o D; in questo modo possono assicurare che la lista continui a funzionare anche se inutilizzata.

Cambiare i membri dei gruppi B, C, o D

Per aggiungere qualcuno ad un certo gruppo:

  • Richiedi a qualcuno di quel gruppo di inviare la sua quota alla nuova persona del gruppo.

Per rimuovere qualcuno da un certo gruppo:

  • Invia nuove quote a tutte le persone eccetto alla persona che si vuole rimuovere.
  • Richiedi a tutte le persone di cancellare le loro vecchie quote e di considerare quella nuova. Quando tutte le persone in almeno 2 gruppi tra B, C, o D hanno cancellato le loro quote, a questo punto diventa impossibile per loro riassemblare il certificato di revoca con l'insieme di quote precedenti.
  • Speriamo che questo non accada molto spesso :)

Scadenza

Il certificato di revoca non ha una data di scadenza. Un modo per cancellare il potere di revoca è quello di rimuovere tutte le copie di quote di almeno 2 gruppi tra B, C, o D.

Email di invito

Qualcuno che ha una rapporto di fiducia personale con la persona invitata invia questa email.

Subject: distribution

Hi,

We want to propose you to be part of a distributed mechanism for the
revocation certificate of the Tails signing key.

The idea is to distribute cryptographic shares of this revocation
certificate to people that we trust. These cryptographic shares can be put
together to reassemble the revocation certificate and revoke the Tails
signing key. This may be needed in case something really bad happens to us
and we are not able to do the revocation ourselves.

Note: In all this document, 'us' refers to the Board.

You can read a complete description of the distribution mechanism on:

https://tails.net/doc/about/openpgp_keys/signing_key_revocation/index.it.html.

The recipe is public and the only secret component is the list of people who
are in possession of the cryptographic material.

We are proposing this to you because we trust in both your technical
abilities to store your share in a safe place and manipulate it as
required. But also because we trust you as a human being to make informed
judgment on when to use your share and act only in the interest of Tails.

The bad things that could happen if the mechanism fails are:

A. The signing key is not revoked when it should be. This could allow
possible attackers to distribute malicious Tails images or publish malicious
information on our name.

B. The signing key is revoked when it should not have been. This would
prevent people from verifying our images with OpenPGP until we publish a new
signing key and build trust in it.

Distribution of the shares
==========================

Each person from the Board, group A, has a *different* share, A1, A2, ...,
An.

On top of this, we defined three complementary groups, B, C, and D of
trusted people who have a close relationship with Tails but different
interests and different access to information about us. You are part of one
of these groups.

Everybody in group B has an *identical* share B.

Everybody in group C has an *identical* share C.

Everybody in group D has an *identical* share D.

Three different shares are needed to reassemble the revocation
certificate. For example, shares A1, A2, and A3, or shares A1, B, and C.

How to store your share
=======================

Please keep your share in an encrypted storage and make it as hard as you
can for untrusted people to get a copy of it.

You can rename the file as long as you keep the number in the file name of
your share as it is needed to use the share.

Feel free to back up the file but we might also request you to delete it at
some point and you should be able to know whether you still have a copy of
it or not. It is all-right to lose your share as long as you tell us that
you have lost it. It is actually worse to still have a copy of the share
"somewhere" while thinking that you don't, than to lose it by mistake.

Don't hesitate to ask us if you need clarification on the technical aspects
of this.

When to use your share
======================

Everybody in possession of a share is subscribed to a mailing list.

If someone in possession of a share gets to learn about a very bad event
that happened to many of us and really thinks that we are not capable of
revoking the Tails signing key ourselves anymore, then this person should
write to the mailing list explaining why she thinks that the signing key
needs to be revoked.

Yes, there is no mathematically proven algorithm for this and here is where
your judgment as a human being is needed. The description of the very bad
event should be checked or backed by enough people to be plausible.

People on the list who are also convinced that the signing key should be
revoked share their shares until they have 3 different shares. Then they can
assemble the revocation certificate and publish it to revoke the signing
key.

Keep in mind that we could still revoke the signing key ourselves as long as
three of us are able to communicate and gather their shares. So we only need
your help if no more than two of us are still able to communicate.

Unless you really want to start the key revocation process, do not write to
this mailing list.

Further communications
======================

In case we need to communicate with you about this revocation mechanism in
the future, we will always do it through the tails@boum.org mailing list. We
might do so for example to:

  - Ask you to send your share to a new member of your group.

  - Ask you to delete your share. This could be needed to cancel the power
    of others people's share: as long as enough of you delete their shares,
    the few people that might not delete them would end up with unusable
    shares.

The tails@boum.org mailing list has its own OpenPGP key, which is signed by
the Tails signing key itself:

    https://tails.net/tails-email.key

So, can we count on you for this?

If you answer positively, we will send you your share and subscribe you to
the mailing list.

Thanks, and may the force be with you!

Mantenere aggiornati i membri dei gruppi B, C, e D

Almeno ogni 2 anni, ci assicuriamo che il meccanismo funzioni ancora:

  1. Revisioniamo internamente la lista dei membri di ogni gruppo e decidiamo possibili aggiunte e rimozioni per ogni gruppo.

  2. Scriviamo ad ogni singolo membro di ciascun gruppo per chiedergli di controllare se possiede ancora le sue quote e il numero nel nome del file.

  3. Accediamo all'interfaccia di amministrazione della mailing list, controlliamo che essa esista ancora e che sia configurata correttamente.

Email di aggiornamento

Inviamo queste email tramite tails@boum.org per evitare il bisogno di una relazione di fiducia personale tra il mittente e il recipiente destinatario. Facendo questo, non inviamo quote dei gruppi B, C, o D tramite tails@boum.org.

Subject: update

Hi,

Some years ago, you agreed to be part of a distributed mechanism for the
revocation certificate of the Tails signing key and we sent you a
cryptographic share of this revocation certificate.

Today, we are asking you to:

1. Verify the authenticity of this email, either by verifying that it is
   signed by the tails@boum.org mailing or by talking directly to someone
   from the Board.

   The tails@boum.org mailing list has its own OpenPGP key, which is
   signed by the Tails signing key itself:

   https://tails.net/tails-email.key

2. Confirm whether you still have in your possession:

   - Your share of the revocation certificate.

   - The number NNN in the file name of your share.

     The file was named tails-signing-key-revocation-cert.asc.NNN, where
     NNN is a 3 digit number.

For the record, the address of the mailing list that you should write to in
case you want to assemble the revocation certificate is:

    address@example.org

Do not write to this mailing list unless you really want to start the key
revocation process.

We are also copying below a summary of the mechanism.

XXX: Copy the invitation email:
XXX: - Include "You can read a complete description of the distribution mechanism on:"
XXX: - Stop before "So, can we count on you for this?"

Aggiungere un nuovo membro

  1. Invia l'email di invito tal nuovo membro.

  2. Se acconsentono, chiedi a qualcuno dello stesso gruppo di inviargli la loro quota della chiave.

    Sfortunatamente, questo rivela alcune informazioni di appartenenza a queste due persone.

  3. Chiedi al nuovo membro di confermare la ricezione delle loro quote.

Email di condivisione

Inviamo queste email tramite tails@boum.org per evitare il bisogno di una relazione di fiducia personale tra il mittente e il recipiente destinatario. Facendo questo, non inviamo quote dei gruppi B, C, o D tramite tails@boum.org.

Subject: sharing

Hi,

We asked someone else from your group to send you a copy of your share.

Please tell us once you receive it.

The address of the mailing list that you should write to in case you want to
assemble the revocation certificate is:

    address@example.org

Do not write to this mailing list unless you really want to start the key
revocation process.

Thanks, and may the force be with you!