Root CA Protection

[dlorenc]

Right now we have one root CA configured in GCP Private CA. We could improve this a bit:

Some high-level suggestions:

Add an intermediary, and keep the root disabled.

The root could then be "enterprise" which comes with auditing.

Have multiple roots, across multiple providers/HSMs.

A majority would be required to sign any new intermediate for it to be trusted.
This is TUF-style and allows us to survive a root compromise.

It requires us to implement our own cert bundle checking logic though, rather than relying on the simple standard ones.

Rotation

We'll need to figure out our root rotation strategy anyway.
This will be also affect how we intend to get our root trusted and known to clients.

[dlorenc]

cc @mnn678

[joshuagl]

ITYM @mnm678

[dlorenc]

ITYM @mnm678

Thanks!

Update, we're working on a plan to distribute and manage a set of hardware keys among community members to sign and protect the root TUF metadata. A quorum will be needed to do anything, and we'll have documented plans for rotation, replacement, destruction, etc. Update soon!

[elinesterov]

I'm happy to help with the design of this with practices Ideas we use internally for our own HSM and root of trust management.

[dlorenc]

Thank you! That would be great. Here's our current working plan: https://docs.google.com/document/d/1dJ5JNyLcuB6Fbl7eV5Rx8xlXdgic2thMFSseq4Y-pRo/edit?resourcekey=0-amsoXrePIvR2244GSTxeOw

(shared with sigstore-dev, feel free to request access though if you're not in it)

[haydentherapper]

An intermediate CA will be added shortly, and we can disable the root.

[haydentherapper]

Going to mark this as fixed.

• We have an intermediate now.
• There's no reason to disable the root. We can restrict CA administration to only admin accounts. An attacker who controls an administrative account could turn the root back on. We will be adding audit logging for access to critical resources too.
• Rotation will be done through the distribution of TUF targets.

[lrvick]

Given the level of trust the community is being asked to place in these keys, can that document be made public so it can be reviewed?

High accountability seems appropriate here.

[haydentherapper]

@lrvick What would be helpful to document? We're working on a doc outlining the public deployment - if you'd like to, take a look and see if that provides what you're looking for or if there's anything else we can clarify.

Also note that all issued certificates are written to a certificate transparency log. Transparency removes trust in a system because all actions are auditable. For web PKI, TLS certificates are written to transparency logs to hold public CAs accountable. In Sigstore's case, all issued code signing certificates are publicly auditable as well.