1 |
On Thu, Jan 31, 2019 at 5:49 PM Michael Orlitzky <mjo@g.o> wrote: |
2 |
> |
3 |
> On 1/31/19 4:40 PM, Alec Warner wrote: |
4 |
> > |
5 |
> > So we have a website that lists all of our developers and their gpg-fps |
6 |
> > already. I realize that mgorny will object that this is a 'nonstandard |
7 |
> > tool' or somesuch, but I think from my POV its a pretty straightforward |
8 |
> > tool. Obviously it requires trusting www.gentoo.org |
9 |
> > <http://www.gentoo.org> and our CA (of which we do not run our own, so |
10 |
> > it is letsencrypt, IIRC.) |
11 |
> > |
12 |
> |
13 |
> The problem with the PKI is that even if LetsEncrypt is trustworthy, |
14 |
> everyone else that you trust is not. If you're in whatever theocracy is |
15 |
> in vogue for murdering its citizens this week, then you want to be sure |
16 |
> that your government can't forge a certificate for www.gentoo.org (which |
17 |
> says the "f" word a lot) on-the-fly. Of course, they all can. The list |
18 |
> of trusted CAs in modern browsers is basically a "who's who" of the |
19 |
> least trustworthy people on Earth. |
20 |
|
21 |
These same governments print up the IDs the GLEP proposes that |
22 |
developers verify. |
23 |
|
24 |
Also, while governments like the US/EU might put a ton of security |
25 |
features in those IDs, I suspect that quite a few governments issue |
26 |
IDs with about as many anti-tamper features as a library card. With a |
27 |
WoT the chain is as strong as its weakest link. |
28 |
|
29 |
> With the web of trust, I am at least trusting someone who is trusting |
30 |
> someone who is trusting someone who is trusting someone that I've met in |
31 |
> person. |
32 |
|
33 |
You use the word "trust," but keep in mind the only thing that last |
34 |
person is verifying is that: |
35 |
|
36 |
1. The person has an ID with a matching ID (issued by that theocracy |
37 |
that murders its citizens). |
38 |
2. The person has control over the email address somebody presented |
39 |
to the recruiters. That would be the one that is reached via telecom |
40 |
lines that go through the ISP controlled by that theocracy that |
41 |
murders its citizens. |
42 |
|
43 |
The person signing off on somebody's key won't be a close personal |
44 |
friend of the applicant. They won't have been their mentor for the |
45 |
last six months. They won't be on the same project, reviewing their |
46 |
commits. They'll be a random developer who just happens to live |
47 |
somewhat near the applicant. The actual mentors/etc would have been |
48 |
in communication solely by email/IRC and will live on the other side |
49 |
of the planet and probably will never actually meet the applicant in |
50 |
person. |
51 |
|
52 |
Now, perhaps the actual mentor will verify IDs/etc via webcam or |
53 |
something like that, but you're still subject to the vulnerability of |
54 |
the local government all the same, and if the mentor doesn't normally |
55 |
interact via webcam they really won't know if the person on the other |
56 |
end of the line is the person they've been interacting with all along. |
57 |
|
58 |
If the threat model is state actors seeking to infiltrate Gentoo, then |
59 |
the proposed methods are inadequate. If the threat model is something |
60 |
more likely such as misc vandals/etc, then we can probably relax |
61 |
things further. |
62 |
|
63 |
-- |
64 |
Rich |