| 1 |
On Thu, Jan 31, 2019 at 5:49 PM Michael Orlitzky <mjo@g.o> wrote: |
| 2 |
> |
| 3 |
> On 1/31/19 4:40 PM, Alec Warner wrote: |
| 4 |
> > |
| 5 |
> > So we have a website that lists all of our developers and their gpg-fps |
| 6 |
> > already. I realize that mgorny will object that this is a 'nonstandard |
| 7 |
> > tool' or somesuch, but I think from my POV its a pretty straightforward |
| 8 |
> > tool. Obviously it requires trusting www.gentoo.org |
| 9 |
> > <http://www.gentoo.org> and our CA (of which we do not run our own, so |
| 10 |
> > it is letsencrypt, IIRC.) |
| 11 |
> > |
| 12 |
> |
| 13 |
> The problem with the PKI is that even if LetsEncrypt is trustworthy, |
| 14 |
> everyone else that you trust is not. If you're in whatever theocracy is |
| 15 |
> in vogue for murdering its citizens this week, then you want to be sure |
| 16 |
> that your government can't forge a certificate for www.gentoo.org (which |
| 17 |
> says the "f" word a lot) on-the-fly. Of course, they all can. The list |
| 18 |
> of trusted CAs in modern browsers is basically a "who's who" of the |
| 19 |
> least trustworthy people on Earth. |
| 20 |
|
| 21 |
These same governments print up the IDs the GLEP proposes that |
| 22 |
developers verify. |
| 23 |
|
| 24 |
Also, while governments like the US/EU might put a ton of security |
| 25 |
features in those IDs, I suspect that quite a few governments issue |
| 26 |
IDs with about as many anti-tamper features as a library card. With a |
| 27 |
WoT the chain is as strong as its weakest link. |
| 28 |
|
| 29 |
> With the web of trust, I am at least trusting someone who is trusting |
| 30 |
> someone who is trusting someone who is trusting someone that I've met in |
| 31 |
> person. |
| 32 |
|
| 33 |
You use the word "trust," but keep in mind the only thing that last |
| 34 |
person is verifying is that: |
| 35 |
|
| 36 |
1. The person has an ID with a matching ID (issued by that theocracy |
| 37 |
that murders its citizens). |
| 38 |
2. The person has control over the email address somebody presented |
| 39 |
to the recruiters. That would be the one that is reached via telecom |
| 40 |
lines that go through the ISP controlled by that theocracy that |
| 41 |
murders its citizens. |
| 42 |
|
| 43 |
The person signing off on somebody's key won't be a close personal |
| 44 |
friend of the applicant. They won't have been their mentor for the |
| 45 |
last six months. They won't be on the same project, reviewing their |
| 46 |
commits. They'll be a random developer who just happens to live |
| 47 |
somewhat near the applicant. The actual mentors/etc would have been |
| 48 |
in communication solely by email/IRC and will live on the other side |
| 49 |
of the planet and probably will never actually meet the applicant in |
| 50 |
person. |
| 51 |
|
| 52 |
Now, perhaps the actual mentor will verify IDs/etc via webcam or |
| 53 |
something like that, but you're still subject to the vulnerability of |
| 54 |
the local government all the same, and if the mentor doesn't normally |
| 55 |
interact via webcam they really won't know if the person on the other |
| 56 |
end of the line is the person they've been interacting with all along. |
| 57 |
|
| 58 |
If the threat model is state actors seeking to infiltrate Gentoo, then |
| 59 |
the proposed methods are inadequate. If the threat model is something |
| 60 |
more likely such as misc vandals/etc, then we can probably relax |
| 61 |
things further. |
| 62 |
|
| 63 |
-- |
| 64 |
Rich |
Archives