1 |
On Mon, 2019-03-04 at 15:29 -0500, Rich Freeman wrote: |
2 |
> On Mon, Mar 4, 2019 at 2:57 PM Michał Górny <mgorny@g.o> wrote: |
3 |
> > On Mon, 2019-03-04 at 14:18 -0500, Rich Freeman wrote: |
4 |
> > > On Mon, Mar 4, 2019 at 2:06 PM Michał Górny <mgorny@g.o> wrote: |
5 |
> > > |
6 |
> > > > Furthermore, |
7 |
> > > > it is recommended that the signer includes the URL of this GLEP |
8 |
> > > > as the certification policy URL (``--cert-policy-url`` in GnuPG), |
9 |
> > > > and appropriately indicates certification level (see |
10 |
> > > > ``--default-cert-level`` in GnuPG). |
11 |
> > > |
12 |
> > > Rather than say "appropriately" why not explicitly indicate which |
13 |
> > > certification level to use? Otherwise the distinction between 2/3 is |
14 |
> > > going to become a point of debate. If you're going to standardize the |
15 |
> > > URL it seems like standardizing the level makes sense (IMO specifying |
16 |
> > > the URL for disambiguation is a great idea). |
17 |
> > |
18 |
> > Well, I believe both 2 and 3 can be valid, depending on how minutely |
19 |
> > you've verified the document. I'd say you'd say 3 if you really |
20 |
> > carefully ensured all three points (including multiple anti-counterfeit |
21 |
> > measures); 2 if you just looked if the document looks reasonable but |
22 |
> > failed to prepare. |
23 |
> |
24 |
> You said "The verification must include, to the best of signer's |
25 |
> abilities" which implies that #2 isn't really allowed in this case. |
26 |
> |
27 |
> If we want to leave it up to individual discretion I guess it is fine. |
28 |
> Just expect variation. What counts as #3 for one person might be |
29 |
> different from another's judgment. The gpg docs say as much as well. |
30 |
> If you do want some standard applied then maybe be explicit. |
31 |
> |
32 |
> > > > 1. Obtain a hardcopy of signee's OpenPGP key fingerprint. The signer |
33 |
> > > > must afterwards use the fingerprint to verify the authenticity |
34 |
> > > > of the key being used. |
35 |
> > > |
36 |
> > > This seems needlessly specific. How about just requiring that they |
37 |
> > > verify the fingerprint of the key to be signed with the person signing |
38 |
> > > it. That could mean being handed a hardcopy, but it it could just |
39 |
> > > mean being shown the fingerprint and transcribing it, or comparing it |
40 |
> > > on-screen, etc. Obviously it needs to be communicated via a |
41 |
> > > reasonably tamper-proof mechanism. |
42 |
> > > |
43 |
> > > This just seems to necessitate printing out keys when other methods |
44 |
> > > might be just as secure. Maybe focus more on the what than the how. |
45 |
> > |
46 |
> > Sorry, non-native English speaker here. I thought the intent is clear |
47 |
> > from the sentence, and people are going to be able to figure out that |
48 |
> > the purpose is to have tamper-proof value here. |
49 |
> |
50 |
> The word "hardcopy" generally means something printed on paper. A |
51 |
> non-paper-based process would not involve a "hardcopy" of anything. |
52 |
> |
53 |
> If the intent was to just convey the need to verify the fingerprint, |
54 |
> then maybe reword to: |
55 |
> |
56 |
> 1. Obtain the signee's OpenPGP key fingerprint. The signer |
57 |
> must use the fingerprint to verify the authenticity |
58 |
> of the key being used. |
59 |
> |
60 |
> I removed "hardcopy" and "afterwards." We don't care what media is |
61 |
> used to transfer the fingerprint if it is secure (this is in-person, |
62 |
> so I think we can leave that detail out). We really don't care the |
63 |
> order the various steps happen in either - if they want to check the |
64 |
> fingerprint before looking at the photo ID/etc that is fine. |
65 |
|
66 |
Actually, we *do* care that the media is secure. You need to make sure |
67 |
that you actually get the key from the person you've just met. |
68 |
Otherwise, someone would soon enough use e-mail or IRC, or any other |
69 |
channel, making it trivial for a forged key to be substituted. |
70 |
|
71 |
Anyway, I've attempted to rewrite it and I'll resend it in a few |
72 |
minutes. |
73 |
|
74 |
-- |
75 |
Best regards, |
76 |
Michał Górny |