1 |
commit: 9f4c0cee7c22a4af2d1b46309d375223ce729a6f |
2 |
Author: Michał Górny <mgorny <AT> gentoo <DOT> org> |
3 |
AuthorDate: Mon Mar 4 18:57:37 2019 +0000 |
4 |
Commit: Michał Górny <mgorny <AT> gentoo <DOT> org> |
5 |
CommitDate: Tue Apr 2 13:42:55 2019 +0000 |
6 |
URL: https://gitweb.gentoo.org/data/glep.git/commit/?id=9f4c0cee |
7 |
|
8 |
glep-0080: Identity verification via OpenPGP WoT |
9 |
|
10 |
Bug: https://bugs.gentoo.org/682294 |
11 |
Signed-off-by: Michał Górny <mgorny <AT> gentoo.org> |
12 |
|
13 |
glep-0080.rst | 291 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
14 |
1 file changed, 291 insertions(+) |
15 |
|
16 |
diff --git a/glep-0080.rst b/glep-0080.rst |
17 |
new file mode 100644 |
18 |
index 0000000..8f492aa |
19 |
--- /dev/null |
20 |
+++ b/glep-0080.rst |
21 |
@@ -0,0 +1,291 @@ |
22 |
+--- |
23 |
+GLEP: 80 |
24 |
+Title: Identity verification via OpenPGP WoT |
25 |
+Author: Michał Górny <mgorny@g.o> |
26 |
+Type: Standards Track |
27 |
+Status: Draft |
28 |
+Version: 1 |
29 |
+Created: 2019-03-04 |
30 |
+Last-Modified: 2019-04-02 |
31 |
+Post-History: 2019-03-04 |
32 |
+Content-Type: text/x-rst |
33 |
+Requires: |
34 |
+Replaces: |
35 |
+--- |
36 |
+ |
37 |
+Abstract |
38 |
+======== |
39 |
+This GLEP proposes establishing a non-obligatory, distributed identity |
40 |
+verification procedure that is compatible with OpenPGP web of trust. It |
41 |
+could be used whenever an explicit need for verifying the real name |
42 |
+occurs, enforced on groups of developers with elevated privileges |
43 |
+via a separate policy or serve as guidelines for building web of trust. |
44 |
+Three methods of verifying the identity are proposed: face-to-face, |
45 |
+via webcam or via government-controlled identification services. |
46 |
+ |
47 |
+ |
48 |
+Motivation |
49 |
+========== |
50 |
+GLEP 76 (Copyright Policy) specifies that all commits made to Gentoo |
51 |
+repositories must include a sign-off with a person's real name. |
52 |
+However, it does not specify any particular method of verifying it. |
53 |
+It is a standing policy that it is sufficient for contributor to |
54 |
+acknowledge the legitimacy of the provided name. [#GLEP76]_ |
55 |
+ |
56 |
+At the same time, developers are asked not to accept contributions |
57 |
+if they have justified concerns as to the authenticity of the name |
58 |
+provided. In particular, this could happen if the developer happens |
59 |
+to know the contributor personally, the contributor indicated that he |
60 |
+is using a pseudonym or arbitrarily changed his name under the policy. |
61 |
+In this case, we lack a clear policy allowing the contributor |
62 |
+to reattain trust. |
63 |
+ |
64 |
+Furthermore, enforcing higher standards for identity verification may |
65 |
+make sense for groups having elevated privileges or specific legal |
66 |
+responsibility, e.g. the Infrastructure team or Trustees. |
67 |
+ |
68 |
+If a centralized identity verification model was to be introduced |
69 |
+in Gentoo, it would probably be necessary to perform most |
70 |
+of the verifications remotely. This would require transferring |
71 |
+sensitive personal data to a single entity which is undesirable. |
72 |
+ |
73 |
+On the other hand, a distributed identity verification model is readily |
74 |
+provided by OpenPGP Web of Trust. In this case, verification can be |
75 |
+performed between individual pairs of developers, reducing the amount of |
76 |
+sensitive information at the disposal of a single entity and increasing |
77 |
+the chances of performing the verification face-to-face. |
78 |
+ |
79 |
+ |
80 |
+Specification |
81 |
+============= |
82 |
+Purpose and scope |
83 |
+----------------- |
84 |
+This specification does not enforce identity verification anywhere. |
85 |
+Instead, it aims to provide clear rules for whenever developers |
86 |
+establish such a process is necessary. Identity verification may be |
87 |
+enforced in specific groups of developers separately, via internal |
88 |
+project policies or Council-approved policies. |
89 |
+ |
90 |
+If a identity is verified according to this specification, this fact |
91 |
+should be recorded via signing UIDs matching the verified data |
92 |
+on the person's OpenPGP key. Such signature cryptographically confirms |
93 |
+that the signer has verified that the specific signee's UID provides |
94 |
+legitimate real name and e-mail address of the key owner. Furthermore, |
95 |
+it is recommended that the signer includes the URL of this GLEP |
96 |
+as the certification policy URL (``--cert-policy-url`` in *gpg(1)*), |
97 |
+and appropriately indicates certification level (see |
98 |
+``--default-cert-level`` in *gpg(1)*). |
99 |
+ |
100 |
+The certification level of signatures following this specification must |
101 |
+be either 2 or 3, depending on how minutely the signer verified signee's |
102 |
+identification documents. |
103 |
+ |
104 |
+ |
105 |
+Identity verification |
106 |
+--------------------- |
107 |
+Face-to-face verification |
108 |
+~~~~~~~~~~~~~~~~~~~~~~~~~ |
109 |
+The recommended procedure for identity verification is for the signer |
110 |
+to meet signee face-to-face. The signer must: |
111 |
+ |
112 |
+1. Obtain the signee's OpenPGP key fingerprint, the complete public key |
113 |
+ data or a stronger digest of it over a tamper-resistant channel |
114 |
+ (preferably on paper). The signer must reliably compare this data to |
115 |
+ verify the authenticity of the key being signed. |
116 |
+ |
117 |
+2. Verify the signee's identity using a government-issued identification |
118 |
+ document with a photograph. The verification must include, |
119 |
+ to the best of signer's abilities: |
120 |
+ |
121 |
+ a. Verifying that the counter-forgery features of the verified |
122 |
+ document are present and are correct. |
123 |
+ |
124 |
+ b. Verifying that the signee's face resembles the photograph |
125 |
+ on the document. |
126 |
+ |
127 |
+ c. Verifying that the signee is able to issue a signature similar |
128 |
+ to the one on the document (if present). |
129 |
+ |
130 |
+3. Verify the signee's e-mail address(es), through sending an e-mail |
131 |
+ encrypted using signee's OpenPGP key, containing either randomly |
132 |
+ generated data, or an exported signature for the UID in question. |
133 |
+ Each mail sent must contain unique data. |
134 |
+ |
135 |
+Only once all three factors are positively verified may the particular |
136 |
+UID be signed according to this policy. |
137 |
+ |
138 |
+ |
139 |
+Remote webcam verification |
140 |
+~~~~~~~~~~~~~~~~~~~~~~~~~~ |
141 |
+Alternatively to face-to-face verification, it is acceptable to perform |
142 |
+the verification using high-resolution real-time video stream. In this |
143 |
+case, the signee should perform all the actions necessary for the signer |
144 |
+to be able to verify the identity document in front of the camera. |
145 |
+ |
146 |
+ |
147 |
+Verification via government identity services |
148 |
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
149 |
+Finally, it is acceptable to use one of the identity proof forms that |
150 |
+are considered legally meaningful in a particular country, and guarantee |
151 |
+the signee's identity has been verified by an official. This could |
152 |
+include e.g.: |
153 |
+ |
154 |
+- public notaries, |
155 |
+ |
156 |
+- government identity services (provided that the signer is able to |
157 |
+ obtain a cryptographically secured proof of identity), |
158 |
+ |
159 |
+- bank wire transfers. |
160 |
+ |
161 |
+ |
162 |
+GnuPG command line (informational) |
163 |
+---------------------------------- |
164 |
+In order to create a signature following this specification, |
165 |
+the following command-line arguments can be used:: |
166 |
+ |
167 |
+ gpg --cert-policy-url 'https://www.gentoo.org/glep/glep-9999.rst' \ |
168 |
+ --ask-cert-level --cert-digest-algo SHA512 \ |
169 |
+ --edit-key <key-fingerprint> |
170 |
+ |
171 |
+Alternatively, if those options should bapply to all certifications |
172 |
+made, they can be included in the configuration file |
173 |
+``~/.gnupg/gpg.conf``:: |
174 |
+ |
175 |
+ cert-policy-url https://www.gentoo.org/glep/glep-9999.rst |
176 |
+ ask-cert-level |
177 |
+ cert-digest-algo SHA512 |
178 |
+ |
179 |
+.. TODO: update URL when number is assigned |
180 |
+ |
181 |
+``cert-policy-url`` specifies the policy to which the certification |
182 |
+complies (as recommended above). ``ask-cert-level`` requests GnuPG |
183 |
+to query certification level interactively when signing every key. |
184 |
+``cert-digest-algo`` enables stronger SHA-2 512-bit digests |
185 |
+on certifications. |
186 |
+ |
187 |
+ |
188 |
+Rationale |
189 |
+========= |
190 |
+Non-obligatory nature |
191 |
+--------------------- |
192 |
+The previous WoT proposal made signatures obligatory. This has met with |
193 |
+resistance of developers, including claims that there are individuals |
194 |
+within Gentoo who are unable to get their key signed using any of |
195 |
+the proposed methods and outright rejection of real name verification. |
196 |
+[#WOT-JAN2019]_ |
197 |
+ |
198 |
+Therefore, this proposal avoids making keysigning obligatory for |
199 |
+everyone. However, it does aim to provide official rule set for |
200 |
+keysigning that can be used by developers at their discretion, or |
201 |
+whenever there is a valid need of verifying contributor's identity. |
202 |
+ |
203 |
+The GLEP also makes provisions for enforcing identity verification |
204 |
+separately, as a matter of policy. While it could propose establishing |
205 |
+such a policy for particular projects such as Infra, it makes little |
206 |
+sense to maintain a list of such projects in a GLEP, and update it |
207 |
+whenever it changes. Instead, individual projects can enforce name |
208 |
+verification on their members, or Council can enforce wider policies |
209 |
+if there is an agreement on them. |
210 |
+ |
211 |
+ |
212 |
+Face-to-face verification rules |
213 |
+------------------------------- |
214 |
+The verification rules follow common keysigning practices. Notably, |
215 |
+they are based on assumption that a single signature confirms |
216 |
+the combination of three elements: the signee's primary key, real name |
217 |
+and an e-mail address. |
218 |
+ |
219 |
+Verifying the primary key fingerprint is important to ensure that |
220 |
+the authentic key belonging to the signee is being used. Otherwise, |
221 |
+a malicious third party could create a key with matching UID and signer |
222 |
+could sign it instead of the authentic key. |
223 |
+ |
224 |
+Verifying the real name is the specific purpose of this GLEP, as well |
225 |
+as a standard practice for OpenPGP web of trust. The name should be |
226 |
+verified against documents that are expectedly hard to forge, and that |
227 |
+include photograph that could be used to verify the owner. Since |
228 |
+photograph verification is non-trivial and in some cases documents |
229 |
+contain outdated photos, it is supplemented with signature verification |
230 |
+whenever possible. In any case, this part is considered best effort. |
231 |
+ |
232 |
+Verifying the e-mail address is necessary since OpenPGP does not provide |
233 |
+any proof of address ownership, and arbitrary user identifiers can be |
234 |
+added to a key. Unique data needs to be used in order to verify each |
235 |
+address separately. The data is encrypted to additionally confirm |
236 |
+that the e-mail address' owner actually has access to the key, |
237 |
+and to avoid accidental mistakes. |
238 |
+ |
239 |
+Traditionally, it is considered sufficient to export a signature for |
240 |
+each e-mail address, and send it. Then, the signee can decrypt it, |
241 |
+import and publish the update to his key afterwards without |
242 |
+the necessity of any further action from the signer. Doing this |
243 |
+manually is non-trivial; the caff tool can help. [#CAFF]_ |
244 |
+ |
245 |
+Alternatively, a simple encrypted e-mail exchange with random data |
246 |
+can be used instead. Afterwards, the signer signs all confirmed UIDs |
247 |
+and publishes the signature. This method does not require special |
248 |
+tooling and has the additional advantage of verifying that the signee |
249 |
+can send mail from claimed address. |
250 |
+ |
251 |
+ |
252 |
+Allowing webcam identification |
253 |
+------------------------------ |
254 |
+There are conflicting opinions as to whether remote identity |
255 |
+verification is valid. However, this method can prove helpful whenever |
256 |
+the signee does not live near any developer. |
257 |
+ |
258 |
+The use of live, high-resolution stream aims to both reduce the risk of |
259 |
+forgery and copying signee's identification documents. The ability to |
260 |
+move freely is also necessary to provide at least partial verification |
261 |
+of counter-forgery measures. |
262 |
+ |
263 |
+ |
264 |
+Allowing government identification services |
265 |
+------------------------------------------- |
266 |
+Finally, whenever direct verification is inconvenient, it could be |
267 |
+acceptable to rely on government officials and institutions that are |
268 |
+expected to verify the identity of citizens. The most common case of |
269 |
+this are public notaries who can provide appropriate proofs of identity |
270 |
+for a fee. |
271 |
+ |
272 |
+Besides those, if the signer and signee live in the same country, |
273 |
+additional national verification mechanisms may be used as long |
274 |
+as special care is taken to perform an authenticated exchange. |
275 |
+ |
276 |
+In some cases, randomly-generated data exchange via wire transfer may be |
277 |
+considered sufficient, provided that the signee's bank is known to |
278 |
+verify identity of its customers. |
279 |
+ |
280 |
+ |
281 |
+Backwards Compatibility |
282 |
+======================= |
283 |
+The policy is non-obligatory, and therefore does not affect existing |
284 |
+developers. |
285 |
+ |
286 |
+Existing developer signatures may be incompatible with the policy. |
287 |
+In order to make policy conformance clear, the GLEP recommends including |
288 |
+appropriate policy URL in signatures. |
289 |
+ |
290 |
+ |
291 |
+Reference Implementation |
292 |
+======================== |
293 |
+n/a |
294 |
+ |
295 |
+ |
296 |
+References |
297 |
+========== |
298 |
+.. [#GLEP76] GLEP 76: Copyright Policy |
299 |
+ (https://www.gentoo.org/glep/glep-0076.html) |
300 |
+ |
301 |
+.. [#WOT-JAN2019] [gentoo-project] pre-GLEP: Gentoo OpenPGP web of trust |
302 |
+ (https://archives.gentoo.org/gentoo-project/message/d05ae93cac6fbac0eea07fc597519382) |
303 |
+ |
304 |
+.. [#CAFF] caff - Debian Wiki |
305 |
+ (https://wiki.debian.org/caff) |
306 |
+ |
307 |
+ |
308 |
+Copyright |
309 |
+========= |
310 |
+This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 |
311 |
+Unported License. To view a copy of this license, visit |
312 |
+http://creativecommons.org/licenses/by-sa/3.0/. |