docs/security.md

## Web Content Signing via Service Workers
- Implementation:
  - M-of-n parties deterministically compile web interface bundle and sign it
  - Interface installs service worker mandates all future updates are
    - signed with m-of-n valid keys certified by a pinned CA
    - newer timestamp than current version
- Protections
  - Compromised insider tampering with frontends
  - BGP attacks
  - DNS takeover
  - TLS MITM
- Resources
  - https://developer.mozilla.org/en-US/docs/Web/API/Service_Worker_API/Using_Service_Workers
  - https://arxiv.org/pdf/2105.05551

## Web Request Signing via WebAuthn
- Implementation:
  - Collect WebAuthn public keys for one or more devices for all users
   - External Authenticators: Yubikey, Nitrokey, Ledger, Trezor, Solokey, etc.
   - Platform Authenticators: iOS 13+, Android 7+, Windows Hello, many Chromebooks
  - Certify Webauthn public keys with trusted enclave
  - Webauthn sign all impacting web requests like trades and transfers
  - Private key enclaves validate request signatures before signing trades and transfers
- Protections:
  - Compromised insider tampering with backends
  - TLS MITM
- Resources:
  - https://developers.yubico.com/WebAuthn/Concepts/Using_WebAuthn_for_Signing.html

## Internal Supply chain integrity
- Implementation
  - Collect and certify asymmetric public keys from all engineers
  - Have all engineers locally sign all code commits and reviews
  - Multiple independently managed CI/CD systems are deployed
  - CI/CD systems deterministically build only validly signed commits/reviews
  - CI/CD systems sign resulting artifacts with well known/pinned keys
  - Production systems only deploy artifacts signed by multiple CI/CD systems
- Protections
  - Compromised insider impersonates commit as another engineer
  - Compromised insider injects malicious code, bypassing review controls
  - Compromised CI/CD system tampers with artifact generation 
- Resources:
  - https://github.com/distrust-foundation/sig
  - https://github.com/hashbang/git-signatures
  - https://github.com/hashbang/book/blob/master/content/docs/security/Commit_Signing.md
  - https://blog.dbrgn.ch/2021/11/16/git-ssh-signatures/

## External Supply chain integrity
- Implementation
  - Collect and pin asymmetric pubic keys from all code reviewers
  - Review all third party dependencies used in transfer-critical codebases
  - Have all reviewers sign reviews with certified public keys
  - Publish reviews in well documented format to help crowd-source efforts
  - Have CI/CD fail production builds when un-reviewed deps are present
- Protections
  - Obvious malicious code injected into external software library-
- Resources:
  - https://gist.github.com/lrvick/d4b87c600cc074dfcd00a01ee6275420
  - https://gitlab.com/wiktor/lance-verifier
  - https://github.com/in-toto/attestation/issues/77

## Accountable Airgapped Workflows
- Implementation
  - Multiple parties compile deterministic airgap OS and firmware
  - Multiple parties sign airgap os/firmware artifacts
  - New laptop acquired by multiple parties
  - Trusted firmware loaded, verifying signed hash with existing firmware
  - CA key pinned into firmware, and external TPM verification device
  - Laptop stored in highly tamper evident vault requiring multiple parties for access
  - Laptop  firmware verifies multi-party signature on flash-drive iso and any scripts
  - Participants verify date and ensure it is the latest and expected version
- Protections
 - Tampering by any single compromised insider
 - Tampering by any single compiler or build system
- Resources:
  - https://github.com/distrust-foundation/airgap
  - https://github.com/hashbang/airgap
initial commit 2023-08-04 21:59:58 +00:00			`## Web Content Signing via Service Workers`
			`- Implementation:`
			`- M-of-n parties deterministically compile web interface bundle and sign it`
			`- Interface installs service worker mandates all future updates are`
			`- signed with m-of-n valid keys certified by a pinned CA`
			`- newer timestamp than current version`
			`- Protections`
			`- Compromised insider tampering with frontends`
			`- BGP attacks`
			`- DNS takeover`
			`- TLS MITM`
			`- Resources`
			`- https://developer.mozilla.org/en-US/docs/Web/API/Service_Worker_API/Using_Service_Workers`
			`- https://arxiv.org/pdf/2105.05551`

			`## Web Request Signing via WebAuthn`
			`- Implementation:`
			`- Collect WebAuthn public keys for one or more devices for all users`
			`- External Authenticators: Yubikey, Nitrokey, Ledger, Trezor, Solokey, etc.`
			`- Platform Authenticators: iOS 13+, Android 7+, Windows Hello, many Chromebooks`
			`- Certify Webauthn public keys with trusted enclave`
			`- Webauthn sign all impacting web requests like trades and transfers`
			`- Private key enclaves validate request signatures before signing trades and transfers`
			`- Protections:`
			`- Compromised insider tampering with backends`
			`- TLS MITM`
			`- Resources:`
			`- https://developers.yubico.com/WebAuthn/Concepts/Using_WebAuthn_for_Signing.html`

			`## Internal Supply chain integrity`
			`- Implementation`
			`- Collect and certify asymmetric public keys from all engineers`
			`- Have all engineers locally sign all code commits and reviews`
			`- Multiple independently managed CI/CD systems are deployed`
			`- CI/CD systems deterministically build only validly signed commits/reviews`
			`- CI/CD systems sign resulting artifacts with well known/pinned keys`
			`- Production systems only deploy artifacts signed by multiple CI/CD systems`
			`- Protections`
			`- Compromised insider impersonates commit as another engineer`
			`- Compromised insider injects malicious code, bypassing review controls`
			`- Compromised CI/CD system tampers with artifact generation`
			`- Resources:`
			`- https://github.com/distrust-foundation/sig`
			`- https://github.com/hashbang/git-signatures`
			`- https://github.com/hashbang/book/blob/master/content/docs/security/Commit_Signing.md`
			`- https://blog.dbrgn.ch/2021/11/16/git-ssh-signatures/`

			`## External Supply chain integrity`
			`- Implementation`
			`- Collect and pin asymmetric pubic keys from all code reviewers`
			`- Review all third party dependencies used in transfer-critical codebases`
			`- Have all reviewers sign reviews with certified public keys`
			`- Publish reviews in well documented format to help crowd-source efforts`
			`- Have CI/CD fail production builds when un-reviewed deps are present`
			`- Protections`
			`- Obvious malicious code injected into external software library-`
			`- Resources:`
			`- https://gist.github.com/lrvick/d4b87c600cc074dfcd00a01ee6275420`
			`- https://gitlab.com/wiktor/lance-verifier`
			`- https://github.com/in-toto/attestation/issues/77`

			`## Accountable Airgapped Workflows`
			`- Implementation`
			`- Multiple parties compile deterministic airgap OS and firmware`
			`- Multiple parties sign airgap os/firmware artifacts`
			`- New laptop acquired by multiple parties`
			`- Trusted firmware loaded, verifying signed hash with existing firmware`
			`- CA key pinned into firmware, and external TPM verification device`
			`- Laptop stored in highly tamper evident vault requiring multiple parties for access`
			`- Laptop firmware verifies multi-party signature on flash-drive iso and any scripts`
			`- Participants verify date and ensure it is the latest and expected version`
			`- Protections`
			`- Tampering by any single compromised insider`
			`- Tampering by any single compiler or build system`
			`- Resources:`
			`- https://github.com/distrust-foundation/airgap`
			`- https://github.com/hashbang/airgap`