├── github-key-1.png ├── github-key-2.png ├── github-key-3.png ├── github-key-4.png ├── google-key-1.png ├── google-key-2.png ├── google-key-3.png ├── google-key-4.png ├── Q-and-A.md ├── getting-yubikey-token-from-github.md ├── security-rationale.md ├── coupon_sending.md ├── getting-titan-token-from-google.md ├── invitation.txt ├── invitation.md ├── guide └── token-usage-guide.md ├── README.md └── LICENSE.md /github-key-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/great-mfa-project/HEAD/github-key-1.png -------------------------------------------------------------------------------- /github-key-2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/great-mfa-project/HEAD/github-key-2.png -------------------------------------------------------------------------------- /github-key-3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/great-mfa-project/HEAD/github-key-3.png -------------------------------------------------------------------------------- /github-key-4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/great-mfa-project/HEAD/github-key-4.png -------------------------------------------------------------------------------- /google-key-1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/great-mfa-project/HEAD/google-key-1.png -------------------------------------------------------------------------------- /google-key-2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/great-mfa-project/HEAD/google-key-2.png -------------------------------------------------------------------------------- /google-key-3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/great-mfa-project/HEAD/google-key-3.png -------------------------------------------------------------------------------- /google-key-4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ossf/great-mfa-project/HEAD/google-key-4.png -------------------------------------------------------------------------------- /Q-and-A.md: -------------------------------------------------------------------------------- 1 | # Q-and-A 2 | 3 | Here is a non-exhaustive list of questions and answers around the project 4 | 5 | ## Q: How do I get an MFA token? 6 | A: The Great MFA Distribution project has identified a list of critical OSS projects we will engage with first. 7 | Details about the project and how to get a token can be found at the project’s [repository](https://github.com/ossf/great-mfa-project). 8 | 9 | ## Q: How do I install and setup an MFA token? 10 | A: Depending on which token you’ve received, there are instructions and links in the project’s [repository](https://github.com/ossf/great-mfa-project#how-do-i-use-an-mfa-token). 11 | 12 | ## Q: How do I log in using an MFA token? 13 | A: Depending on which token you’ve received, there are instructions and links in the project’s [repository](https://github.com/ossf/great-mfa-project#how-do-i-use-an-mfa-token). 14 | 15 | ## Q: How do I sign software code with an MFA token? 16 | A: Depending on which token you’ve received, there are instructions and links in the project’s [repository](https://github.com/ossf/great-mfa-project#how-do-i-use-an-mfa-token). 17 | 18 | ## Q: Why is the OpenSSF doing this? 19 | A: The security of open source supply chains and infrastructure has grown in importance in recent years. The OSSF feels projects such as the [Great MFA Distribution](https://github.com/ossf/great-mfa-project) 20 | along with other tools and techniques help improve the security and assurance of the integrity of open source software. 21 | 22 | ## Q: Can I get more than one token for my project? 23 | A: Yes! 24 | 25 | ## Q: I got my token, but i can’t get it to work. What can I do? 26 | A: Please see our guidance documentation for various cases. 27 | 28 | ## Q: I set my MFA token up and started using it, but it has subsequently been lost/broken/misplaced/stolen. What should I do? 29 | A: Please see our guidance documentation. As noted there, when you set up using your token you should also set up a mechanism to deal with those cases. 30 | 31 | 32 | 33 | 34 | -------------------------------------------------------------------------------- /getting-yubikey-token-from-github.md: -------------------------------------------------------------------------------- 1 | # How to get a Yubikey token from GitHub 2 | 3 | Here is how to get an Multi-factor Authentication (MFA) Yubikey 4 | token from GitHub. 5 | Note that tokens are also called "security keys" or "keys". 6 | 7 | It's easy. 8 | First, go to the [OpenSSF & GitHub MFA Enablement Form](https://forms.gle/zYLbdmGsgAFbeZr26) and enter the validation code given o you by OpenSSF. 9 | We'll check your eligibility to this program via this verification code. 10 | 11 | A few days later you will receive a coupon code via email from GitHub 12 | that will allow you to get 13 | a [GitHub branded Yubikey from their shop](https://thegithubshop.com/products/github-branded-yubikey?_pos=1&_sid=4893867a7&_ss=r) 14 | for free. 15 | 16 | One caveat: These tokens are 17 | shipped from the US, so they cannot be shipped to countries if it 18 | is illegal to do so under US law. 19 | Our apologies; we can’t control US law. 20 | 21 | ## Get started 22 | ### Use validation code to get coupon code 23 | 24 | To get an MFA Yubikey token from Github, go here: 25 | [OpenSSF & GitHub MFA Enablement Form](https://forms.gle/zYLbdmGsgAFbeZr26) 26 | 27 | ![Google Forms screenshot](github-key-1.png) 28 | 29 | You will need to enter your email address, your github user name/handle, and the validation code you were provided. 30 | 31 | After you agreed to participate in this project, within a few days 32 | you will receive a coupon code to order your key. 33 | 34 | ### Use coupon code to "buy" token 35 | 36 | You then go to the [GitHub branded Yubikey from their shop](https://thegithubshop.com/products/github-branded-yubikey?_pos=1&_sid=4893867a7&_ss=r) to "buy" the token with the coupon code. 37 | 38 | ![GitHub shop screenshot](github-key-2.png) 39 | 40 | Choose the desired model of key (USB-C or USB-A) and "Add to Cart" to continue. 41 | 42 | ![GitHub shop model](github-key-3.png) 43 | 44 | Next, verify the proper desired token was selected and then "Check-out". 45 | 46 | ![GitHub shop checkout](github-key-4.png) 47 | 48 | Enter the appropriate information (email address, name, address, etc.). 49 | Use the coupon code mailed to you and "Apply" it to your order. This should adjust the price to "$0 USD". 50 | 51 | **Important**: Use a shipping address where you have reasonable confidence 52 | that the token will not be tampered with at its destination nor 53 | will tampered with along the way. For most 54 | people, a home or business address is fine. 55 | However, if you're concerned about interception, 56 | consider using a special address (e.g., of someone else you trust). 57 | 58 | Press "Continue to Shipping" to confirm the information is correct and complete your order! 59 | -------------------------------------------------------------------------------- /security-rationale.md: -------------------------------------------------------------------------------- 1 | # Security Rationale 2 | 3 | Here we identify potential attacks/issues and our countermeasures. 4 | 5 | ## Project worries tokens may be subverted by the OpenSSF or someone who subverts the OpenSSF 6 | 7 | The OpenSSF does not ever possess any tokens distributed by 8 | this project, nor does the OpenSSF send any tokens. 9 | The only thing the OpenSSF distributes are coupon codes / validation codes that 10 | can be eventually used on the Google Store / GitHub Shop (respectively) 11 | to turn an item that costs money into something that is free. 12 | 13 | Recipients can verify (through the URL's domain) that they are on 14 | the proper sites, and they use HTTPS which counters interception 15 | during the no-cost "purchase". GitHub token recipients will have to 16 | send the validation code to a GitHub site to turn it into a coupon code, 17 | but again, all of these protections apply. 18 | 19 | The recipients do have to trust that Google Store and GitHub Shop 20 | won't send subverted devices to them or share their personal information 21 | (such as addresses) elsewhere. Both do require personal information, 22 | However, this would be true for any shop, and these are reputable shops. 23 | 24 | ## Project worries personal information may be shared with OpenSSF or someone who subverts the OpenSSF 25 | 26 | The OpenSSF never receives the actual names or addresses 27 | of the recipients. The OpenSSF is asking projects to report back 28 | summary metrics. GitHub will learn the GitHub accounts of those who 29 | use the validation codes, but GitHub will only share totals 30 | back to the OpenSSF. 31 | We think it's reasonable that someone who is willing to create an 32 | account on GitHub and use GitHub to manage their code is also willing 33 | to trust GitHub. 34 | 35 | ## Codes get mis-shared and tokens end up being used by others 36 | 37 | This isn't desired, but it isn't a big deal if it only happens in a few cases. 38 | If the tokens end up getting used, that means *someone* is 39 | being protected by the tokens, and is likely going to encourage others to 40 | use such tokens. 41 | Our goal is to quickly get tokens out to critical projects so they can be used. 42 | A perfect system that ensures this never happens, but waits another year, 43 | potentially reduces the protection of everyone else. 44 | We believe that getting tokens quickly into people's hands, at the cost 45 | of a few tokens perhaps being used by others, is a trade-off worth making. 46 | 47 | Our main concern is someone stealing most or all of the tokens. 48 | Only a few coupon codes / validation codes will be given to each 49 | project, so no one project will be able to do this. 50 | Only a few trusted code senders will be allowed to have 51 | access to the larger set of codes. 52 | In addition, the value of these tokens is typically much less if you 53 | can't verify their pedigree (as they would be if all codes were stolen). 54 | Thus, we believe mass theft is something we've reasonably countered 55 | and is relatively unlikely. 56 | 57 | ## Tokens get intercepted and subverted en route 58 | 59 | Google and GitHub will use usual delivery methods, so this is the same 60 | risk as for anything delivered over mail. 61 | We will tell people to send the tokens to an address they trust. 62 | 63 | ## Recipients won't use the tokens, or won't use them correctly 64 | 65 | We are developing guidance to help users use the tokens correctly. 66 | -------------------------------------------------------------------------------- /coupon_sending.md: -------------------------------------------------------------------------------- 1 | # Coupons for a critical project 2 | 3 | ## Background 4 | 5 | The following draft text is to be sent by a "sender" to a 6 | critical project's PRIVATE email address (or similar private channel), 7 | once they've agreed to accept the coupon and validation codes. 8 | 9 | NOTE: This needs to be fixed, GitHub plans to distribute a form entry 10 | that would then give a coupon code. 11 | 12 | Improvements welcome! 13 | 14 | ## Sending coupon and validation code text 15 | 16 | Thanks so much for being willing to use these 17 | *free* multi-factor authentication (MFA) hardware tokens! 18 | 19 | Below are the coupon codes for the Google Titan tokens and/or 20 | thee validation keys for the GitHub Yubikey tokens. 21 | Please distribute each one to maintainers and contributors to your 22 | project and/or any open source software projects that your project depends on. 23 | DO NOT make the codes public, each code can only be used *once*. 24 | 25 | The Google coupon codes *must* be used by the end of 2021 26 | (they expire afterwards). 27 | If you decide not to use any coupon codes or validation codes, please 28 | tell us as soon as possible so we can give them to someone else. 29 | 30 | Those getting the Titan tokens from Google would use the Google Store's page for Titan tokens at . 31 | We have step-by-step instructions for getting a Titan key at . 32 | 33 | Those getting the Yubikey tokens from GitHub would first use a Google form 34 | to turn the validation code into a coupon code, at 35 | . 36 | They would then use the GitHub Shop's Yubikey page at . 37 | We have step-by-step instructions for getting a Yubikey key at . 38 | 39 | To qualify, each token recipient must: 40 | 41 | 1. Be a maintainer or contributor to this critical open source software (OSS) 42 | project, or to another OSS project that this project depends on 43 | (the dependency may be indirect). 44 | 2. Try to use an MFA token to secure their GitHub Account once they receive the token. 45 | We'd like recipients to use MFA tokens from then on, but at least try. 46 | 3. Not reuse the token between different people (the token must not be shared). 47 | 4. Consider providing feedback to us (so we can try to fix problems). 48 | 49 | We also need each project that receives coupon codes and/or validation codes 50 | to tell us these numbers (preferably within 30 days of getting the codes): 51 | 52 | 1. How many tokens did you distribute from just Google? From just GitHub? 53 | 2. How many people received tokens from just Google? From just GitHub? From both? 54 | 3. How many people didn’t have hardware tokens they used for OSS who received tokens from just Google? From just GitHub? From both? 55 | 56 | The people you sent the coupon and validation codes to 57 | should be able to tell you this! 58 | We need this information so we can tell others some simple measures of success. 59 | We don't need the names of any individuals. 60 | 61 | Please note that the tokens are shipped from the US, so while they 62 | can be shipped internationally, we can't ship somewhere if that is 63 | forbidden (sanctioned) under US law as listed on 64 | . 65 | So unless rules change we can't ship them to China, Afghanistan, Russia, 66 | Ukraine, North Korea, Iran, Sudan, and Syria. Sorry about that. 67 | Google Titan keys are purchased directly from the store and are only 68 | available in select regions listed on . 69 | 70 | We provide how-tos and other information at the 71 | "Great Multi-Factor Authentication (MFA) Distribution Project" site: 72 | 73 | -------------------------------------------------------------------------------- /getting-titan-token-from-google.md: -------------------------------------------------------------------------------- 1 | # How to get a Titan token from Google 2 | 3 | Here is how to get an Multi-factor Authentication (MFA) Titan token from Google. 4 | Note that tokens are also called "security keys" or "keys". 5 | 6 | It's easy. Basically, you go to the 7 | [Google Store's Titan key page](https://store.google.com/product/titan_security_key) and buy what you need; if you have a coupon code you can use it to get the token for free. 8 | 9 | One caveat: These tokens are 10 | shipped from the US, so they cannot be shipped to countries if it 11 | is illegal to do so under US law. 12 | Our apologies; we can’t control US law. 13 | 14 | ## Get started 15 | 16 | To get an MFA Titan token from Google, go here: 17 | 18 | [https://store.google.com/product/titan_security_key](https://store.google.com/product/titan_security_key) 19 | 20 | You’ll need to create an account there if you don’t have one, 21 | and you’ll need to log in if you aren’t already. 22 | We’ll skip those steps here (they're similar to systems everywhere) 23 | and assume you’re logged in. 24 | 25 | Once you have logged into an account, the 26 | [Titan security key page on Google Store](https://store.google.com/product/titan_security_key) 27 | should look like this: 28 | 29 | 30 | 31 | drawing 32 | 33 | Now select “Buy”. 34 | 35 | ## Select a model 36 | 37 | After you've selected "Buy" 38 | you’ll be shown various models to choose from. 39 | The USB-C/NFC keys weren’t available at the time these screenshots were made, 40 | so we could only choose the USB-A/NFC keys. 41 | That's a perfectly reasonable choice anyway, if you have USB-C 42 | you can still use USB-A keys using a simple adapter that you probably have 43 | anyway. 44 | Your screen should look something like this: 45 | 46 | drawing 47 | 48 | Choose the model by selecting “Add To Cart” underneath the preferred model. 49 | 50 | ## Confirm the shopping cart 51 | 52 | Once you've added a token to the cart, the store 53 | will then show you the shopping cart contents. 54 | Your screen should look something like this: 55 | 56 | drawing 57 | 58 | You don’t have to, but consider adding a “personalized gift 59 | message” that others couldn’t guess. 60 | That won't counter an attacker who *intercepts* the mail delivery, 61 | but it's a zero-cost countermeasure if an attacker decided to 62 | spray subverted tokens to many people. 63 | 64 | Select “Check Out”. You’ll then see a checkout screen: 65 | 66 | ## Checkout 67 | 68 | You'll now see a checkout form: 69 | 70 | drawing 71 | 72 | 73 | Click on “Shipping Address” and fill in your shipping address. 74 | 75 | **Important**: Use a shipping address where you have reasonable confidence 76 | that the token will not be tampered with at its destination nor 77 | will tampered with along the way. For most 78 | people, a home or business address is fine. 79 | However, if you're concerned about interception, 80 | consider using a special address (e.g., of someone else you trust). 81 | 82 | If you received a coupon code, click on “Add promo code”, enter the 83 | coupon code, and press “Apply”. The total cost should now be $0. 84 | *Note*: coupon codes are single use & each one gets a single token. 85 | 86 | When we tested this, you have to enter payment information (e.g., 87 | credit card information) even when you use a coupon code (making 88 | the cost $0). That may be fixed when you read this, but just be 89 | aware that this information may be required. 90 | 91 | Make sure the checkbox for "Please send me Google Store special 92 | offers and newsworthy updates." has the value you prefer. You are 93 | *not* required to accept special offers or updates to get a token. 94 | 95 | Once you’re done, select “Confirm purchase”. 96 | 97 | ## Checkout complete 98 | 99 | If the checkout (purchase) fails you may see a “reload page” message. 100 | If that happens, just follow the instructions. 101 | 102 | If the checkout (purchase) succeeds, you’ll see a “Thanks, *NAME*” page. 103 | We aren’t showing the page here, because it includes the shipping address. 104 | The page will also show the expected delivery time. 105 | 106 | When you receive the token, make sure it includes the “gift” message you set 107 | if you set one. 108 | -------------------------------------------------------------------------------- /invitation.txt: -------------------------------------------------------------------------------- 1 | # Invitation for a critical project 2 | 3 | ## Background 4 | 5 | The following draft text is an invitation to a critical project to 6 | request MFA tokens. In most cases these would be created as either 7 | (1) an issue on the project's GitHub/GitLab/etc. repo site, or (2) 8 | an email to their security contact email address. Note: If you're 9 | sending this as email, send it as *plain* text, because some people 10 | may reject HTML emails as likely spam. 11 | 12 | Improvements welcome! 13 | 14 | ## Invitation text 15 | 16 | Hi! I work with the Developer Best Practices Working Group of the 17 | Linux Foundation's Open Source Security Foundation (OpenSSF) 18 | "Great 19 | Multi-Factor Authentication (MFA) Distribution Project" 20 | . 21 | 22 | We'd like to give your project *free* MFA hardware tokens from 23 | Google and GitHub, for use by your maintainers. We'd especially 24 | like to give them to any of your maintainers who aren't already 25 | using any. Our goal is to help improve the security of open source 26 | software (OSS)/Free Software projects. For example, these tokens 27 | can counter attacks that release source code updates and/or packages 28 | using stolen passwords. 29 | 30 | By **2021-12-20** and preferably much sooner, please let me know: 31 | 32 | 1. If you want any tokens, and if so... 33 | 2. How many Titan tokens from Google (up to 5) 34 | 3. How many Yubikey tokens from GitHub (up to 5) 35 | 4. The *private* email address to send codes to 36 | (this email must *not* go to the public, as these are use-once 37 | codes that can be used to get the tokens) 38 | 5. If you could use more, how many more. 39 | 40 | We would send you coupon codes and validation codes to the private 41 | email address. You would then distribute those codes to the 42 | maintainers you choose. The recipients would use the coupon codes 43 | and validation codes to "buy" the tokens from the Google Store 44 | and/or GitHub Shop, who would ship the tokens directly to recipients. 45 | These codes are use-once, so make sure you can keep the codes private 46 | until they're used by the intended person. 47 | 48 | **Important**: The Google coupon codes **must be used by 2021-12-31** 49 | on the Google Store or they expire. 50 | 51 | How can you trust us? You don't need to. You would get the MFA 52 | tokens from Google and GitHub; we're simply offering codes to make 53 | them no-cost. We'll provide some documentation on how to use them, 54 | but you don't need to use our documents. 55 | 56 | To qualify, each token recipient must: 57 | 58 | 1. Be a maintainer or contributor to this critical open source software (OSS) 59 | project, or to another OSS project that this project depends on 60 | (the dependency may be indirect). 61 | 2. Try to use an MFA token once they receive the token. 62 | We'd like recipients to use MFA tokens from then on, but at least try. 63 | 3. Not reuse the token between different people (the token must not be shared). 64 | 4. Consider providing feedback to us (so we can try to fix problems). 65 | 66 | We also need each project that receives coupon codes and/or validation codes 67 | to tell us these numbers (preferably within 30 days of getting the codes): 68 | 69 | 1. How many tokens did you distribute from just Google? From just GitHub? 70 | 2. How many people received tokens from just Google? From just GitHub? 71 | From both? 72 | 3. How many people didn’t have hardware tokens they used for OSS who 73 | received tokens from just Google? From just GitHub? From both? 74 | 75 | We ask for this information so we can tell others some simple 76 | measures of success. We don't need nor want the names of any 77 | individuals participating. It's fine to ask the people who got the 78 | codes for that information and provide a best-effort summary. 79 | 80 | The MFA tokens are shipped from the US. They can be shipped 81 | internationally, but there are various limitations on where each 82 | can be shipped. 83 | 84 | In particular, we can't ship somewhere if that is forbidden 85 | (sanctioned) under US law. So at this time we are unable to ship 86 | to individuals in China, Afghanistan, Russia, Ukraine, North Korea, 87 | Iran, Sudan, and Syria. Sorry about that. See the Google and 88 | GitHub sites for more shipping information. More sanction information 89 | is available at 90 | . 91 | 92 | For more information including how-tos and other setup information 93 | can be found at the "Great Multi-Factor Authentication (MFA) 94 | Distribution Project" site: . 95 | -------------------------------------------------------------------------------- /invitation.md: -------------------------------------------------------------------------------- 1 | # Invitation for a critical project 2 | 3 | ## Background 4 | 5 | The following draft text is an invitation to a critical project to request MFA tokens. In most cases these would be created as either (1) an issue on the project's GitHub/GitLab/etc. repo site, or (2) an email to their security contact email address. Note: If you're sending this as email, send it as *plain* text, because some people may reject HTML emails as likely spam. 6 | 7 | Improvements welcome! 8 | 9 | ## Invitation text 10 | 11 | Hi! I work with the [Developer Best Practices Working Group](https://github.com/ossf/wg-best-practices-os-developers) of the Linux Foundation's Open Source Security Foundation (OpenSSF) ["Great Multi-Factor Authentication (MFA) Distribution Project"](https://github.com/ossf/great-mfa-project). 12 | 13 | We'd like to give your project *free* MFA hardware tokens from Google and GitHub, for use by your maintainers. We'd especially like to give them to any of your maintainers who aren't already using any. Our goal is to help improve the security of open source software (OSS)/Free Software projects. For example, these tokens can counter attacks that release source code updates and/or packages using stolen passwords. 14 | 15 | By **2021-12-20** and preferably much sooner, please let me know: 16 | 17 | 1. If you want any tokens, and if so... 18 | 2. How many Titan tokens from Google (up to 5) 19 | 3. How many Yubikey tokens from GitHub (up to 5) 20 | 4. The *private* email address to send codes to (this email must *not* go to the public, as these are use-once codes that can be used to get the tokens) 21 | 5. If you could use more, how many more. 22 | 23 | We would send you coupon codes and validation codes to the private email address. You would then distribute those codes to the maintainers you choose. The recipients would use the coupon codes and validation codes to "buy" the tokens from the Google Store and/or GitHub Shop, who would ship the tokens directly to recipients. These codes are use-once, so make sure you can keep the codes private until they're used by the intended person. 24 | 25 | **Important**: The Google coupon codes **must be used by 2021-12-31** on the Google Store or they expire. 26 | 27 | How can you trust us? You don't need to. You would get the MFA tokens from Google and GitHub; we're simply offering codes to make them no-cost. We'll provide some documentation on how to use them, but you don't need to use our documents. 28 | 29 | To qualify, each token recipient must: 30 | 31 | 1. Be a maintainer or contributor to this critical open source software (OSS) project, or to another OSS project that this project depends on (the dependency may be indirect). 32 | 2. Try to use an MFA token once they receive the token. We'd like recipients to use MFA tokens from then on, but at least try. 33 | 3. Not reuse the token between different people (the token must not be shared). 34 | 4. Consider providing feedback to us (so we can try to fix problems). 35 | 36 | We also need each project that receives coupon codes and/or validation codes 37 | to tell us these numbers (preferably within 30 days of getting the codes): 38 | 39 | 1. How many tokens did you distribute from just Google? From just GitHub? 40 | 2. How many people received tokens from just Google? From just GitHub? From both? 41 | 3. How many people didn’t have hardware tokens they used for OSS who received tokens from just Google? From just GitHub? From both? 42 | 43 | We ask for this information so we can tell others some simple measures of success. We don't need nor want the names of any individuals participating. It's fine to ask the people who got the codes for that information and provide a best-effort summary. 44 | 45 | The MFA tokens are shipped from the US. They can be shipped internationally, but there are various limitations on where each can be shipped. 46 | In particular, we can't ship somewhere if that is forbidden (sanctioned) under US law. So at this time we are unable to ship to individuals in China, Afghanistan, Russia, Ukraine, North Korea, Iran, Sudan, and Syria. 47 | Titan Security Keys from the Google Store can only be currently shipped to 48 | Austria, Canada, France, Germany, Italy, Japan, Spain, Switzerland, the UK, and the US; 49 | even if they are available in your region they may not be in stock 50 | at the moment and may not restock in time. 51 | Sorry about that. See the Google and GitHub sites for more shipping information. [More sanction information is available](https://home.treasury.gov/policy-issues/financial-sanctions/sanctions-programs-and-country-information). 52 | 53 | For more information including how-tos and other setup information can be found at the ["Great Multi-Factor Authentication (MFA) Distribution Project" site](https://github.com/ossf/great-mfa-project). 54 | -------------------------------------------------------------------------------- /guide/token-usage-guide.md: -------------------------------------------------------------------------------- 1 | # Token Usage Guide 2 | 3 | This is a guide to how to use multi-factor authentication (MFA) tokens, 4 | aka MFA keys. 5 | We focus here on Titan tokens and Yubikey tokens, as those are the kinds of 6 | tokens we are distributing to critical open source software (OSS) 7 | projects, but most of this information applies to other tokens as well. 8 | 9 | This guide was created by the Great MFA Distribution project, 10 | part of the OpenSSF. 11 | For an introduction to the project, see the [README](../README.md). 12 | 13 | ## How to use your MFA token (key) 14 | 15 | This documentation provides instructions on how to use an MFA token in 16 | common OSS situations. 17 | 18 | * [How to protect your GitHub login](#securing-your-github-login) 19 | * [How to protect your GitHub connection](#securing-your-github-connections) 20 | * [How to protect your GitLab login](#securing-your-gitlab-login) 21 | * How to protect your GitLab connections (TBD) 22 | * [How to secure your npm connections](#securing-your-npm-connections) 23 | * [How to protect your PyPI login](#securing-your-pypi-login) 24 | * How to post a release to Python PyPI (TBD) 25 | * How to post a release to Javascript npm (TBD) 26 | * [How to protect your RubyGems login](#securing-your-rubygems-login) 27 | * [How to secure your SSH connections](#securing-your-ssh-connections) 28 | * [Token unavailable](#token-unavailable) 29 | * [Additional information](#additional-information) 30 | 31 | ### Token setup 32 | 33 | Both the Titan token and Yubikey support the FIDO standard. FIDO keys 34 | generally do not require any special setup on modern systems. Some of 35 | the steps listed below may require newer versions of utilities or 36 | libraries, versions will be specified when appropriate. 37 | 38 | Most notably, to secure SSH communications with your MFA token you 39 | need a version of SSH that supports key types such as `ecdsa-sk` or 40 | `ed25519-sk` (the former being supported by older tokens). You can 41 | verify whether you have an adequate version of ssh by doing a simple 42 | `ssh-keygen --help` and checking whether such a type is listed along 43 | with the `-t` option. If not, you need to update your ssh installation 44 | and if none is available for your system install OpenSSH 8.2 or above. 45 | 46 | On MacOS if you use [brew](https://brew.sh/) a simple `brew install 47 | openssh` will do that for you. 48 | 49 | On Linux if you use Ubuntu you can do a `sudo apt update` and `sudo 50 | apt install openssh-client`. 51 | 52 | 70 | 71 | You can test your token by visiting the [yubico demo site](https://demo.yubico.com/webauthn-technical/registration). It is expected this test will work on any modern operationg system and updated web browser. Even though the test site is hosted by yubico, any FIDO key can be tested. 72 | 73 | Assuming your test worked, please continue with the following instructions. 74 | 75 | ### Securing your GitHub login 76 | 77 | Follow GitHub's instructions to [Protect your GitHub login with a security key](https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication#configuring-two-factor-authentication-using-a-security-key). 78 | 79 | ### Securing your GitHub connections 80 | 81 | You need to generate a new SSH key that uses your MFA token following 82 | GitHub's instructions to [Generate a new SSH key for a hardware 83 | security 84 | key](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent#generating-a-new-ssh-key-for-a-hardware-security-key) 85 | and to [Add a new SSH key to your GitHub 86 | account](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account). 87 | 88 | If you already had an SSH key set up to access your GitHub account you 89 | need to remove it from your GitHub account to make sure you are using 90 | your new key. 91 | 92 | Once this is done issuing a `git push` command should ask for a 93 | confirmation with a message such as: `Confirm user presence for key 94 | ECDSA-SK SHA256:xxx` 95 | 96 | For video instructions see [Set up your SSH security key in less than two minutes](https://www.youtube.com/watch?v=EbsmqUJy5ag). 97 | 98 | GitHub has instructions for enabling a security key for logging into the website 99 | * [Configuring two-factor authentication using a security 100 | key](https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication#configuring-two-factor-authentication-using-a-security-key) 101 | 102 | At this time, tokens that support FIDO cannot be directly used to commits on GitHub. Please add an upvote to [this discussion](https://github.com/github/feedback/discussions/7744) to enable this feature. The FIDO token can be used to store your SSH key which can be used to push and pull repositories from GitHub. Instructions for using your FIDO token with SSH are included below. 103 | 104 | ### GitLab 105 | 106 | GitLab has instructions for configuring a security key for logging into the website. 107 | * [WebAuthn 108 | device](https://docs.gitlab.com/ee/user/profile/account/two_factor_authentication.html#webauthn-device) 109 | 110 | At this time tokens that support FIDO cannot be directly used to commits on GitLab. Please add an upvote to [this discussion](https://gitlab.com/gitlab-org/gitlab/-/issues/343879) to enable this feature. The FIDO token can be used to store your SSH key which can be used to push and pull repositories from GitLab. Instructions for using your FIDO token with SSH are included below. 111 | 112 | ### Securing your GitLab login 113 | 114 | Follow GitLab's instructions to protect your login using a [U2F device](https://docs.gitlab.com/ee/user/profile/account/two_factor_authentication.html#u2f-device). 115 | 116 | ### Securing your NPM connections 117 | 118 | NPM does not support security keys at this time. To use MFA you must use an authenticator app. 119 | * [Configuring two-factor 120 | authentication](https://docs.npmjs.com/configuring-two-factor-authentication) 121 | 122 | A package can be configured to require MFA when publishing 123 | * [Requiring 2FA for package publishing and settings modification](https://docs.npmjs.com/requiring-2fa-for-package-publishing-and-settings-modification) 124 | 125 | When the 2FA option is configured, the updates can only happen interactively. 126 | * [See the --otp option](https://docs.npmjs.com/cli/v8/commands/npm-publish) 127 | 128 | 129 | ### Securing your PyPI login 130 | 131 | To protect your login to PyPi, follow PyPI's documentation on [How does two factor authentication with a security device (e.g. USB key) work? 132 | How do I set it up on PyPI?](https://pypi.org/help/#utfkey) 133 | 134 | Using a security key with PyPI is only needed to login to the website. Packages can still be pushed using a username and passowrd or an API token. The PyPI API token documentation can be found [here](https://pypi.org/help/#apitoken). 135 | 136 | ### Securing your RubyGems login 137 | 138 | RubyGems does not support security keys. To use MFA you must use an 139 | authenticator app. 140 | * [SETTING UP MULTIFACTOR 141 | AUTHENTICATION](https://guides.rubygems.org/setting-up-multifactor-authentication/) 142 | 143 | ### Securing your SSH connections 144 | 145 | You can protect your SSH connections with your MFA token. This means 146 | SSH authentication can only happen with the MFA token plugged into the 147 | machine. See the very nice article on [How to use FIDO2 USB 148 | authenticators with 149 | SSH](https://www.stavros.io/posts/u2f-fido2-with-ssh/) for generic 150 | instructions. 151 | 152 | This SSH key can then be used to push and pull from Git repositories 153 | as well as logging into remote systems. Git version 2.34 and above 154 | supports signing commits with an SSH key, however GitHub and GitLab do 155 | not support verifying SSH signatures at this time. 156 | 157 | ### Token unavailable 158 | 159 | Most of the code repository platforms offer recovery methods to gain access 160 | to the account when you are dealing with a token that has 161 | become unavailable (e.g., it has become lost, broken, misplaced, or stolen). 162 | For example the most common default fail-safe mechanism is the 163 | secrets one time use codes that are automatically generated when you 164 | enrolled your hardware token. Using this mechanism it’s 165 | *extremely* important to 166 | store these secret one time use codes in a safe matter. You can achieve this by 167 | printing them out and store them in a physical vault. 168 | You could also use a digital secure password storage, but then you need to 169 | make sure attackers can't access that. 170 | We suggest printing them out twice, storing one near you and another 171 | in a secure location far away from you (so that a fire in a building 172 | won't eliminate access). 173 | 174 | If you don’t like this approach there are often special per-platform options. 175 | For example, with [GitHub you can use your phone number and SMS](https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication-recovery-methods#downloading-your-two-factor-authentication-recovery-codes) 176 | to create a fail-safe mechanism to regain access to your account. 177 | [GitLab offers other fail-safe options](https://about.gitlab.com/blog/2018/08/09/keeping-your-account-safe/) - you can use a backup email address or use your SSH keys that are connected to the account to can generate new secret one time use codes. 178 | 179 | ### Additional information 180 | 181 | The [Yubikey Guide](http://github.com/drduh/YubiKey-Guide) is a relatively 182 | exhaustive guide for Yubikeys. 183 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # The Great MFA Distribution Project 2 | 3 | Welcome to the Great MFA Distribution Project 4 | (`great-mfa-project`). 5 | The goal of this project is to: 6 | 7 | 1. Promote the use of multi-factor authentication (MFA) through out all stages of Open Source Software (OSS) development 8 | 2. Distribute MFA tokens to some developers of critical OSS, and 9 | 3. Provide or point to information to help people *easily* use MFA tokens. 10 | 11 | The OpenSSF is working with Google and GitHub who have generously offered to provide and distribute MFA tokens. 12 | Thank you! 13 | 14 | MFA tokens, also called keys or fobs, are hardware devices specifically for authentication. 15 | These MFA tokens can be used in many applications in a developer's workflow. They help provide higher degrees 16 | of validation for a developer's identity when logging into code repositories or applications, or performing 17 | critical tasks such as signing code. 18 | Attackers generally find it much harder to take over an account authenticated with an MFA token compared to an account authenticated with only a password; 19 | see [why we are doing this](#why-we-ard-doing-this) for more information. 20 | 21 | ## How do I get an MFA token? 22 | 23 | If your open source software (OSS) project has been notified that 24 | you're getting a free token from us, 25 | you'll receive a Google coupon code or a GitHub validation code. 26 | Here are step-by-step instructions: 27 | 28 | * [How to get a Titan token from Google](getting-titan-token-from-google.md) 29 | * [How to get a Yubikey token from GitHub](getting-yubikey-token-from-github.md) 30 | 31 | If you contribute to an OSS project and were not contacted during our first round of 32 | token distribution, please reach out to our [Working Group](mailto:openssf-wg-best-practices+owner@lists.openssf.org) for more information. 33 | 34 | Currently the tokens are shipped from the US. They are shipped 35 | internationally but that is subject to various limitations. See the 36 | [invitation.md](./invitation.md) for more information. 37 | 38 | The OpenSSF cares about privacy and does *not* get detailed lists of 39 | who gets every token; we only get aggregate values (per-project Google tokens 40 | and aggregate totals from GitHub). 41 | 42 | ## How do I use an MFA token? 43 | 44 | For some simple instructions on how to use MFA tokens for common OSS 45 | situations see our [Token Usage Guide](guide/token-usage-guide.md). 46 | 47 | ## How we're doing this 48 | 49 | Here is our basic plan: 50 | * Create a list of about 100 critical open source software (OSS) projects. 51 | [Here is the list of critical OSS projects and who will be notifying them from the Great MFA Distribution Project](https://docs.google.com/spreadsheets/d/1sO_tJ_B7_2I-TUx23pnBoIRJIqaOm8yBnKAwqs7DwBw/edit#gid=0). 52 | For more information, see the section below on 53 | [how this collection of critical OSS projects were selected](#how-were-critical-oss-projects-selected). 54 | * Develop a set of simple documents on how to use these tokens 55 | for common OSS cases. First drafts were done 2021-12-02, but we'll 56 | keep refining them. 57 | * Send an [invitation](./invitation.txt) to each critical OSS project. This will be done by one of the great-mfa-plan notifiers, typically by filing an issue, in 2021-12-02..10. The current Great MFA Distribution Project notifiers, with GitHub/GitLab account names and organizational affiliations, are: 58 | - David A. Wheeler (@david-a-wheeler/@david-a-wheeler) (Linux Foundation), 59 | - CRob (@SecurityRob) (Intel), 60 | - Xavier Rene-Corail (@xcorail) (GitHub), 61 | - John Naulty (@jnaulty) (Coinbase), 62 | - Jose Palafox (@josepalafox) (GitHub), 63 | - Marta Rybczynska (Syslinbit), 64 | - Arnaud J Le Hors (@lehors) (IBM), 65 | - Glenn ten Cate (@blabla1337) (OWASP), 66 | - Georg Kunz (@gkunz) (Ericsson), and 67 | - Jory Burson (@jorydotcom) (Linux Foundation). 68 | * If a project accepts, the notifier will tell a sender (David A. Wheeler or Jory Burson) key information: the project who has accepted, the email address to send private information to, and how the project accepted. The sender will then send the project the coupon codes and validation codes using the [coupon_sending.md](./coupon_sending.md) template. This is 2021-12-03..31. 69 | * Projects distribute the codes. Receivers use them to get the tokens from 70 | the Google Store or GitHub shop. Then the tokens get used! 71 | * Projects send back some information, that we combine with other data 72 | and determine whether or not we've had a positive effect (hopefully we have!). 73 | 74 | Note: Organizational affiliations are *only* shown to clarify who we mean. 75 | 76 | We've taken some steps to make sure this does *not* turn into 77 | the "world's best supply chain attack". See our 78 | [security rationale](./security-rationale.md). 79 | We also want to ensure this isn't just a "token effort". 80 | You can see the now-obsolete draft document 81 | [*The Great MFA Distribution Plan*](https://docs.google.com/document/d/1Hhg4KcLCzEdd9ZcbdEviN0TIUTLyWDsIdF6B_hY3Xv0/edit) if you want to see more detail. 82 | 83 | 84 | ## Why are we doing this? 85 | 86 | Why do this? Our goal is to prevent supply chain attacks involving 87 | weak or compromised credentials of developers of open source software. 88 | 89 | Over the last several years Open Source Software has become critical upstream components 90 | of many aspects of software and applications that are used the world-over. Along with this 91 | increase in use, so has the potential for malicious actors to exploit the amazing work OSS 92 | communities develop each day. 93 | 94 | The 95 | ["Backstabber's Knife Collection: A Review of Open Source Software Supply Chain Attack" by Ohm et al](https://arxiv.org/abs/2005.09535) 96 | noted that this is one way to subvert OSS, e.g., 97 | its source code (in a forge) or its package (in a package repository). 98 | Here are examples: 99 | 100 | * coa and rc - ["Malware found in coa and rc, two npm packages with 23M weekly downloads", 2021-11-05](https://therecord.media/malware-found-in-coa-and-rc-two-npm-packages-with-23m-weekly-downloads/) 101 | * UA-Parser-JS library; - ["Popular NPM package UA-Parser-JS poisoned with cryptomining, password-stealing malware", Adam Bannister, 2021-10-25](https://portswigger.net/daily-swig/popular-npm-package-ua-parser-js-poisoned-with-cryptomining-password-stealing-malware) 102 | * Homebrew - [Holmes, E.: "How i gained commit access to homebrew in 30 minutes", 2018](https://medium.com/@vesirin/how-i-gained-commit-access-to-homebrew-in-30-minutes-2ae314df03ab) 103 | * Gentoo Linux - [Khandelwal, S. "Password-guessing was used to hack gentoo linux github account", 2017]( https://thehackernews.com/2018/07/github-hacking-gentoo-linux.html) 104 | 105 | MFA tokens don't counter all attacks (such as typosquatting). Also the hardware tokens should not be left unguarded in untrusted spaces as there are known [side-channel attacks](https://www.zdnet.com/article/new-side-channel-attack-can-recover-encryption-keys-from-google-titan-security-keys/) existing against hardware tokens. 106 | Still, by using tools such as Multi-factor Authentication, the likelihood that bad actors will be able to violate the integrity of that open source supply chain is greatly reduced. 107 | 108 | This will increase the level of security and protection for your project immensely, but use your common sense. 109 | 110 | ## Why not use an authentication app instead? 111 | 112 | An authentication app (such as Authy) running on a mobile phone 113 | is often stronger against attack than a simple password. So if you're using 114 | one, that's great! 115 | 116 | However, hardware tokens are stronger still against attack. 117 | Authentication apps are easier to "take over" than a hardware token 118 | because the underlying system (the phone/computer hardware and 119 | its operating system) is shared with other apps. 120 | Those other apps may have unintentional vulnerabilities or 121 | embedded malicious code that can be used to 122 | steal the keys underlying the authentication app. 123 | In contrast, hardware tokens 124 | are single-purpose so far fewer attacks work against them. 125 | 126 | ## How were critical OSS projects selected? 127 | 128 | For our purposes, a critical OSS project is an OSS project that can have 129 | an especially large impact if it has a significant unintentional vulnerability, 130 | or if it is subverted in either its source repository or 131 | distribution package(s). 132 | There are literally millions of open source software (OSS) projects today, 133 | making it difficult to create a focused list of "critical OSS projects". 134 | 135 | The list of critical OSS projects was developed for the Great MFA Distribution 136 | Project by the 137 | [OpenSSF Securing Critical Projects Working Group (WG)](https://github.com/ossf/wg-securing-critical-projects). 138 | This OpenSSF working group has been *specifically* working on this problem! 139 | 140 | There are many ways to identify "critical" projects, so the 141 | Securing Critical Projects WG combined the results of several different 142 | analyses (the analyses are also called "Selection Criteria"), 143 | The WG then used human group review of this combined set of top candidates 144 | to create a final defensible list. The analyses ("selection criteria") for 145 | identifying candidate critical OSS projects included: 146 | 147 | * [OpenSSF Criticality Score](https://github.com/ossf/criticality_score): A top OpenSSF criticality score value. This metric prefers projects that are extremely active on specific forges. Such projects are likely to be important (at least to the participants). However, this is not a perfect measure; some projects will score low here and yet be very critical. Also, it currently only considers GitHub-hosted projects. As of 2021-11-23 the projects with the top scores are node, kubernetes, rust, and spark. 148 | * [Census Program II](https://www.coreinfrastructure.org/programs/census-program-ii/): Harvard preliminary analysis, uses SCA & dependency data. This tends to emphasize lower-level libraries that are depended on, transitively, by many. 149 | * OSTIF Managed Audit Program: Programs OSTIF has recommended for audit. These were selected earlier from research sources, focusing on securing the most critical projects. You can see the [OSTIF Managed Audit Program (MAP25)](https://docs.google.com/spreadsheets/d/1oytKuD7UCX6nDXWQMr6ZgYYgap_SH_JVBof5gNrgSxo/edit#gid=0) 150 | * [Top Google Project](https://opensource.google/projects/list/featured): Featured on Google Open Source page and widely adopted. 151 | * [Top Microsoft Project](https://opensource.microsoft.com/projects/): Featured on Microsoft Open Source page and widely adopted. 152 | * [Top Linux Foundation Project](https://www.linuxfoundation.org/projects/): Featured on Linux Foundation Project page and related to supply chains. 153 | * Secure Supply Chain Tool: Directly related to supply chain security (identified by WG) 154 | * Survey Response: [Response to public survey](https://forms.gle/19PKPS17zkL5fTFUA) 155 | * Language implementation: Identified by community as a widely-used language implementation 156 | * Community Addition: Separately identified by the community as important. 157 | * Previously subverted: If software has been previously attacked & it made headlines, it must be critical enough to attack. 158 | 159 | Every method for identify critical OSS projects has its strengths and 160 | weaknesses; we believe the combination of analysis combined with human review 161 | is better than trying to do any one of them. 162 | For example, high criticality score tends to emphasize very busy projects; 163 | human review can remove projects that are busy but for whatever reason 164 | are less critical. 165 | Some projects are very important yet not active; by using other measures 166 | (not just the OpenSSF criticality score) we can still identify them. 167 | 168 | We have no doubt that other OSS projects will be added to the 169 | critical OSS projects list over time. If you're interested in helping 170 | to do that, please join the Securing Critical Projects WG. 171 | 172 | [Here is the list of critical OSS projects and who will be notifying them from the Great MFA Distribution Project](https://docs.google.com/spreadsheets/d/1sO_tJ_B7_2I-TUx23pnBoIRJIqaOm8yBnKAwqs7DwBw/edit#gid=0). 173 | that this list of projects is the same as the list of 174 | [critical OSS projects identified by the critical projects WG by 2021-12-02](https://docs.google.com/spreadsheets/d/1ONZ4qeMq8xmeCHX03lIgIYE4MEXVfVL6oj05lbuXTDM/edit#gid=0). We're currently using the version as of 175 | 2021-12-02, because the Google coupon codes expire on 2021-12-31. 176 | Even if they didn't expire, though, we think it's wiser to quickly get tokens 177 | we have available to critical projects. 178 | The sooner the tokens start getting used by developers, the sooner we 179 | counter some attacks on critical projects. 180 | 181 | ## Background information 182 | 183 | Some will refer to these as "two-factor authentication" (2FA) tokens, 184 | however, for various reasons we're using the term "MFA" instead. 185 | 186 | The Great MFA Distribution Project is a project of the Linux Foundation's 187 | [Open Source Security Foundation (OpenSSF)](https://openssf.org/) 188 | within its 189 | [Best Practices Working Group](https://github.com/ossf/wg-best-practices-os-developers). 190 | Discussions are held within that working group's 191 | mailing list and online meetings. 192 | 193 | All documents, including any improvements, are released under the 194 | [Creative Commons Attribution (CC BY) license](https://creativecommons.org/licenses/by/4.0/). 195 | -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- 1 | # Creative Commons Attribution 4.0 International 2 | 3 | Creative Commons Corporation (“Creative Commons”) is not a law firm and does not provide legal services or legal advice. Distribution of Creative Commons public licenses does not create a lawyer-client or other relationship. Creative Commons makes its licenses and related information available on an “as-is” basis. Creative Commons gives no warranties regarding its licenses, any material licensed under their terms and conditions, or any related information. Creative Commons disclaims all liability for damages resulting from their use to the fullest extent possible. 4 | 5 | ### Using Creative Commons Public Licenses 6 | 7 | Creative Commons public licenses provide a standard set of terms and conditions that creators and other rights holders may use to share original works of authorship and other material subject to copyright and certain other rights specified in the public license below. The following considerations are for informational purposes only, are not exhaustive, and do not form part of our licenses. 8 | 9 | * __Considerations for licensors:__ Our public licenses are intended for use by those authorized to give the public permission to use material in ways otherwise restricted by copyright and certain other rights. Our licenses are irrevocable. Licensors should read and understand the terms and conditions of the license they choose before applying it. Licensors should also secure all rights necessary before applying our licenses so that the public can reuse the material as expected. Licensors should clearly mark any material not subject to the license. This includes other CC-licensed material, or material used under an exception or limitation to copyright. [More considerations for licensors](http://wiki.creativecommons.org/Considerations_for_licensors_and_licensees#Considerations_for_licensors). 10 | 11 | * __Considerations for the public:__ By using one of our public licenses, a licensor grants the public permission to use the licensed material under specified terms and conditions. If the licensor’s permission is not necessary for any reason–for example, because of any applicable exception or limitation to copyright–then that use is not regulated by the license. Our licenses grant only permissions under copyright and certain other rights that a licensor has authority to grant. Use of the licensed material may still be restricted for other reasons, including because others have copyright or other rights in the material. A licensor may make special requests, such as asking that all changes be marked or described. Although not required by our licenses, you are encouraged to respect those requests where reasonable. [More considerations for the public](http://wiki.creativecommons.org/Considerations_for_licensors_and_licensees#Considerations_for_licensees). 12 | 13 | ## Creative Commons Attribution 4.0 International Public License 14 | 15 | By exercising the Licensed Rights (defined below), You accept and agree to be bound by the terms and conditions of this Creative Commons Attribution 4.0 International Public License ("Public License"). To the extent this Public License may be interpreted as a contract, You are granted the Licensed Rights in consideration of Your acceptance of these terms and conditions, and the Licensor grants You such rights in consideration of benefits the Licensor receives from making the Licensed Material available under these terms and conditions. 16 | 17 | ### Section 1 – Definitions. 18 | 19 | a. __Adapted Material__ means material subject to Copyright and Similar Rights that is derived from or based upon the Licensed Material and in which the Licensed Material is translated, altered, arranged, transformed, or otherwise modified in a manner requiring permission under the Copyright and Similar Rights held by the Licensor. For purposes of this Public License, where the Licensed Material is a musical work, performance, or sound recording, Adapted Material is always produced where the Licensed Material is synched in timed relation with a moving image. 20 | 21 | b. __Adapter's License__ means the license You apply to Your Copyright and Similar Rights in Your contributions to Adapted Material in accordance with the terms and conditions of this Public License. 22 | 23 | c. __Copyright and Similar Rights__ means copyright and/or similar rights closely related to copyright including, without limitation, performance, broadcast, sound recording, and Sui Generis Database Rights, without regard to how the rights are labeled or categorized. For purposes of this Public License, the rights specified in Section 2(b)(1)-(2) are not Copyright and Similar Rights. 24 | 25 | d. __Effective Technological Measures__ means those measures that, in the absence of proper authority, may not be circumvented under laws fulfilling obligations under Article 11 of the WIPO Copyright Treaty adopted on December 20, 1996, and/or similar international agreements. 26 | 27 | e. __Exceptions and Limitations__ means fair use, fair dealing, and/or any other exception or limitation to Copyright and Similar Rights that applies to Your use of the Licensed Material. 28 | 29 | f. __Licensed Material__ means the artistic or literary work, database, or other material to which the Licensor applied this Public License. 30 | 31 | g. __Licensed Rights__ means the rights granted to You subject to the terms and conditions of this Public License, which are limited to all Copyright and Similar Rights that apply to Your use of the Licensed Material and that the Licensor has authority to license. 32 | 33 | h. __Licensor__ means the individual(s) or entity(ies) granting rights under this Public License. 34 | 35 | i. __Share__ means to provide material to the public by any means or process that requires permission under the Licensed Rights, such as reproduction, public display, public performance, distribution, dissemination, communication, or importation, and to make material available to the public including in ways that members of the public may access the material from a place and at a time individually chosen by them. 36 | 37 | j. __Sui Generis Database Rights__ means rights other than copyright resulting from Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases, as amended and/or succeeded, as well as other essentially equivalent rights anywhere in the world. 38 | 39 | k. __You__ means the individual or entity exercising the Licensed Rights under this Public License. __Your__ has a corresponding meaning. 40 | 41 | ### Section 2 – Scope. 42 | 43 | a. ___License grant.___ 44 | 45 | 1. Subject to the terms and conditions of this Public License, the Licensor hereby grants You a worldwide, royalty-free, non-sublicensable, non-exclusive, irrevocable license to exercise the Licensed Rights in the Licensed Material to: 46 | 47 | A. reproduce and Share the Licensed Material, in whole or in part; and 48 | 49 | B. produce, reproduce, and Share Adapted Material. 50 | 51 | 2. __Exceptions and Limitations.__ For the avoidance of doubt, where Exceptions and Limitations apply to Your use, this Public License does not apply, and You do not need to comply with its terms and conditions. 52 | 53 | 3. __Term.__ The term of this Public License is specified in Section 6(a). 54 | 55 | 4. __Media and formats; technical modifications allowed.__ The Licensor authorizes You to exercise the Licensed Rights in all media and formats whether now known or hereafter created, and to make technical modifications necessary to do so. The Licensor waives and/or agrees not to assert any right or authority to forbid You from making technical modifications necessary to exercise the Licensed Rights, including technical modifications necessary to circumvent Effective Technological Measures. For purposes of this Public License, simply making modifications authorized by this Section 2(a)(4) never produces Adapted Material. 56 | 57 | 5. __Downstream recipients.__ 58 | 59 | A. __Offer from the Licensor – Licensed Material.__ Every recipient of the Licensed Material automatically receives an offer from the Licensor to exercise the Licensed Rights under the terms and conditions of this Public License. 60 | 61 | B. __No downstream restrictions.__ You may not offer or impose any additional or different terms or conditions on, or apply any Effective Technological Measures to, the Licensed Material if doing so restricts exercise of the Licensed Rights by any recipient of the Licensed Material. 62 | 63 | 6. __No endorsement.__ Nothing in this Public License constitutes or may be construed as permission to assert or imply that You are, or that Your use of the Licensed Material is, connected with, or sponsored, endorsed, or granted official status by, the Licensor or others designated to receive attribution as provided in Section 3(a)(1)(A)(i). 64 | 65 | b. ___Other rights.___ 66 | 67 | 1. Moral rights, such as the right of integrity, are not licensed under this Public License, nor are publicity, privacy, and/or other similar personality rights; however, to the extent possible, the Licensor waives and/or agrees not to assert any such rights held by the Licensor to the limited extent necessary to allow You to exercise the Licensed Rights, but not otherwise. 68 | 69 | 2. Patent and trademark rights are not licensed under this Public License. 70 | 71 | 3. To the extent possible, the Licensor waives any right to collect royalties from You for the exercise of the Licensed Rights, whether directly or through a collecting society under any voluntary or waivable statutory or compulsory licensing scheme. In all other cases the Licensor expressly reserves any right to collect such royalties. 72 | 73 | ### Section 3 – License Conditions. 74 | 75 | Your exercise of the Licensed Rights is expressly made subject to the following conditions. 76 | 77 | a. ___Attribution.___ 78 | 79 | 1. If You Share the Licensed Material (including in modified form), You must: 80 | 81 | A. retain the following if it is supplied by the Licensor with the Licensed Material: 82 | 83 | i. identification of the creator(s) of the Licensed Material and any others designated to receive attribution, in any reasonable manner requested by the Licensor (including by pseudonym if designated); 84 | 85 | ii. a copyright notice; 86 | 87 | iii. a notice that refers to this Public License; 88 | 89 | iv. a notice that refers to the disclaimer of warranties; 90 | 91 | v. a URI or hyperlink to the Licensed Material to the extent reasonably practicable; 92 | 93 | B. indicate if You modified the Licensed Material and retain an indication of any previous modifications; and 94 | 95 | C. indicate the Licensed Material is licensed under this Public License, and include the text of, or the URI or hyperlink to, this Public License. 96 | 97 | 2. You may satisfy the conditions in Section 3(a)(1) in any reasonable manner based on the medium, means, and context in which You Share the Licensed Material. For example, it may be reasonable to satisfy the conditions by providing a URI or hyperlink to a resource that includes the required information. 98 | 99 | 3. If requested by the Licensor, You must remove any of the information required by Section 3(a)(1)(A) to the extent reasonably practicable. 100 | 101 | 4. If You Share Adapted Material You produce, the Adapter's License You apply must not prevent recipients of the Adapted Material from complying with this Public License. 102 | 103 | ### Section 4 – Sui Generis Database Rights. 104 | 105 | Where the Licensed Rights include Sui Generis Database Rights that apply to Your use of the Licensed Material: 106 | 107 | a. for the avoidance of doubt, Section 2(a)(1) grants You the right to extract, reuse, reproduce, and Share all or a substantial portion of the contents of the database; 108 | 109 | b. if You include all or a substantial portion of the database contents in a database in which You have Sui Generis Database Rights, then the database in which You have Sui Generis Database Rights (but not its individual contents) is Adapted Material; and 110 | 111 | c. You must comply with the conditions in Section 3(a) if You Share all or a substantial portion of the contents of the database. 112 | 113 | For the avoidance of doubt, this Section 4 supplements and does not replace Your obligations under this Public License where the Licensed Rights include other Copyright and Similar Rights. 114 | 115 | ### Section 5 – Disclaimer of Warranties and Limitation of Liability. 116 | 117 | a. __Unless otherwise separately undertaken by the Licensor, to the extent possible, the Licensor offers the Licensed Material as-is and as-available, and makes no representations or warranties of any kind concerning the Licensed Material, whether express, implied, statutory, or other. This includes, without limitation, warranties of title, merchantability, fitness for a particular purpose, non-infringement, absence of latent or other defects, accuracy, or the presence or absence of errors, whether or not known or discoverable. Where disclaimers of warranties are not allowed in full or in part, this disclaimer may not apply to You.__ 118 | 119 | b. __To the extent possible, in no event will the Licensor be liable to You on any legal theory (including, without limitation, negligence) or otherwise for any direct, special, indirect, incidental, consequential, punitive, exemplary, or other losses, costs, expenses, or damages arising out of this Public License or use of the Licensed Material, even if the Licensor has been advised of the possibility of such losses, costs, expenses, or damages. Where a limitation of liability is not allowed in full or in part, this limitation may not apply to You.__ 120 | 121 | c. The disclaimer of warranties and limitation of liability provided above shall be interpreted in a manner that, to the extent possible, most closely approximates an absolute disclaimer and waiver of all liability. 122 | 123 | ### Section 6 – Term and Termination. 124 | 125 | a. This Public License applies for the term of the Copyright and Similar Rights licensed here. However, if You fail to comply with this Public License, then Your rights under this Public License terminate automatically. 126 | 127 | b. Where Your right to use the Licensed Material has terminated under Section 6(a), it reinstates: 128 | 129 | 1. automatically as of the date the violation is cured, provided it is cured within 30 days of Your discovery of the violation; or 130 | 131 | 2. upon express reinstatement by the Licensor. 132 | 133 | For the avoidance of doubt, this Section 6(b) does not affect any right the Licensor may have to seek remedies for Your violations of this Public License. 134 | 135 | c. For the avoidance of doubt, the Licensor may also offer the Licensed Material under separate terms or conditions or stop distributing the Licensed Material at any time; however, doing so will not terminate this Public License. 136 | 137 | d. Sections 1, 5, 6, 7, and 8 survive termination of this Public License. 138 | 139 | ### Section 7 – Other Terms and Conditions. 140 | 141 | a. The Licensor shall not be bound by any additional or different terms or conditions communicated by You unless expressly agreed. 142 | 143 | b. Any arrangements, understandings, or agreements regarding the Licensed Material not stated herein are separate from and independent of the terms and conditions of this Public License. 144 | 145 | ### Section 8 – Interpretation. 146 | 147 | a. For the avoidance of doubt, this Public License does not, and shall not be interpreted to, reduce, limit, restrict, or impose conditions on any use of the Licensed Material that could lawfully be made without permission under this Public License. 148 | 149 | b. To the extent possible, if any provision of this Public License is deemed unenforceable, it shall be automatically reformed to the minimum extent necessary to make it enforceable. If the provision cannot be reformed, it shall be severed from this Public License without affecting the enforceability of the remaining terms and conditions. 150 | 151 | c. No term or condition of this Public License will be waived and no failure to comply consented to unless expressly agreed to by the Licensor. 152 | 153 | d. Nothing in this Public License constitutes or may be interpreted as a limitation upon, or waiver of, any privileges and immunities that apply to the Licensor or You, including from the legal processes of any jurisdiction or authority. 154 | 155 | > Creative Commons is not a party to its public licenses. Notwithstanding, Creative Commons may elect to apply one of its public licenses to material it publishes and in those instances will be considered the “Licensor.” Except for the limited purpose of indicating that material is shared under a Creative Commons public license or as otherwise permitted by the Creative Commons policies published at [creativecommons.org/policies](http://creativecommons.org/policies), Creative Commons does not authorize the use of the trademark “Creative Commons” or any other trademark or logo of Creative Commons without its prior written consent including, without limitation, in connection with any unauthorized modifications to any of its public licenses or any other arrangements, understandings, or agreements concerning use of licensed material. For the avoidance of doubt, this paragraph does not form part of the public licenses. 156 | > 157 | > Creative Commons may be contacted at creativecommons.org 158 | --------------------------------------------------------------------------------