Gentoo Archives: gentoo-project

From: Rich Freeman <rich0@g.o>
To: gentoo-project <gentoo-project@l.g.o>
Subject: Re: [gentoo-project] pre-GLEP: Gentoo OpenPGP web of trust
Date: Fri, 01 Feb 2019 00:09:27
Message-Id: CAGfcS_mDRRQsA6X=atPFGv9mh+i=5-DOn7qPpXDoevummsicwQ@mail.gmail.com
On Thu, Jan 31, 2019 at 5:49 PM Michael Orlitzky <mjo@g.o> wrote:
> > On 1/31/19 4:40 PM, Alec Warner wrote: > > > > So we have a website that lists all of our developers and their gpg-fps > > already. I realize that mgorny will object that this is a 'nonstandard > > tool' or somesuch, but I think from my POV its a pretty straightforward > > tool. Obviously it requires trusting www.gentoo.org > > <http://www.gentoo.org> and our CA (of which we do not run our own, so > > it is letsencrypt, IIRC.) > > > > The problem with the PKI is that even if LetsEncrypt is trustworthy, > everyone else that you trust is not. If you're in whatever theocracy is > in vogue for murdering its citizens this week, then you want to be sure > that your government can't forge a certificate for www.gentoo.org (which > says the "f" word a lot) on-the-fly. Of course, they all can. The list > of trusted CAs in modern browsers is basically a "who's who" of the > least trustworthy people on Earth.
These same governments print up the IDs the GLEP proposes that developers verify. Also, while governments like the US/EU might put a ton of security features in those IDs, I suspect that quite a few governments issue IDs with about as many anti-tamper features as a library card. With a WoT the chain is as strong as its weakest link.
> With the web of trust, I am at least trusting someone who is trusting > someone who is trusting someone who is trusting someone that I've met in > person.
You use the word "trust," but keep in mind the only thing that last person is verifying is that: 1. The person has an ID with a matching ID (issued by that theocracy that murders its citizens). 2. The person has control over the email address somebody presented to the recruiters. That would be the one that is reached via telecom lines that go through the ISP controlled by that theocracy that murders its citizens. The person signing off on somebody's key won't be a close personal friend of the applicant. They won't have been their mentor for the last six months. They won't be on the same project, reviewing their commits. They'll be a random developer who just happens to live somewhat near the applicant. The actual mentors/etc would have been in communication solely by email/IRC and will live on the other side of the planet and probably will never actually meet the applicant in person. Now, perhaps the actual mentor will verify IDs/etc via webcam or something like that, but you're still subject to the vulnerability of the local government all the same, and if the mentor doesn't normally interact via webcam they really won't know if the person on the other end of the line is the person they've been interacting with all along. If the threat model is state actors seeking to infiltrate Gentoo, then the proposed methods are inadequate. If the threat model is something more likely such as misc vandals/etc, then we can probably relax things further. -- Rich