tka: refer consistently to "DisablementValues"

This avoids putting "DisablementSecrets" in the JSON output from
`tailscale lock log`, which is potentially scary to somebody who doesn't
understand the distinction.

AUMs are stored and transmitted in CBOR-encoded format, which uses an
integer rather than a string key, so this doesn't break already-created
TKAs.

Fixes #19189

Change-Id: I15b4e81a7cef724a450bafcfa0b938da223c78c9
Signed-off-by: Alex Chan <alexc@tailscale.com>

cmd/tailscale/cli/jsonoutput/network-lock-log.go

@@ -76,8 +76,8 @@ func toLogMessageV1(aum tka.AUM, update ipnstate.NetworkLockUpdate) logMessageV1
 		if h := state.LastAUMHash; h != nil {
 			expandedState.LastAUMHash = h.String()
 		}
-		for _, secret := range state.DisablementSecrets {
-			expandedState.DisablementSecrets = append(expandedState.DisablementSecrets, fmt.Sprintf("%x", secret))
+		for _, secret := range state.DisablementValues {
+			expandedState.DisablementValues = append(expandedState.DisablementValues, fmt.Sprintf("%x", secret))
 		}
 		for _, key := range state.Keys {
 			expandedState.Keys = append(expandedState.Keys, toTKAKeyV1(&key))
@@ -180,9 +180,13 @@ type expandedStateV1 struct {
 	// LastAUMHash is the blake2s digest of the last-applied AUM.
 	LastAUMHash string `json:"LastAUMHash,omitzero"`
 
-	// DisablementSecrets are KDF-derived values which can be used
-	// to turn off the TKA in the event of a consensus-breaking bug.
-	DisablementSecrets []string
+	// DisablementValues are KDF-derived values used to verify that a caller
+	// possesses a valid DisablementSecret. These values are used during the
+	// Tailnet Lock deactivation process.
+	//
+	// These are  safe to share publicly or store in the clear. They cannot be
+	// used to derive the original DisablementSecret.
+	DisablementValues []string
 
 	// Keys are the public keys of either:
 	//

cmd/tailscale/cli/network-lock.go

@@ -672,7 +672,7 @@ func nlDescribeUpdate(update ipnstate.NetworkLockUpdate, color bool) (string, er
 
 	case tka.AUMCheckpoint.String():
 		fmt.Fprintln(&stanza, "Disablement values:")
-		for _, v := range aum.State.DisablementSecrets {
+		for _, v := range aum.State.DisablementValues {
 			fmt.Fprintf(&stanza, " - %x\n", v)
 		}
 		fmt.Fprintln(&stanza, "Keys:")

cmd/tailscale/cli/network-lock_test.go

@@ -54,7 +54,7 @@ func TestNetworkLockLogOutput(t *testing.T) {
 					Meta:   map[string]string{"en": "one", "de": "eins", "es": "uno"},
 				},
 			},
-			DisablementSecrets: [][]byte{
+			DisablementValues: [][]byte{
 				{1, 2, 3},
 				{4, 5, 6},
 				{7, 8, 9},
@@ -125,7 +125,7 @@ KeyID: tlpub:0202
         "MessageKind": "checkpoint",
         "PrevAUMHash": "BKVVXHOVBW7Y7YXYTLVVLMNSYG6DS5GVRVSYZLASNU3AQKA732XQ",
         "State": {
-          "DisablementSecrets": [
+          "DisablementValues": [
             "010203",
             "040506",
             "070809"