Gentoo Archives: gentoo-project

From: Matthew Thode <prometheanfire@g.o>
To: gentoo-project@l.g.o
Subject: Re: [gentoo-project] pre-GLEP: Gentoo OpenPGP web of trust
Date: Thu, 31 Jan 2019 15:32:39
Message-Id: 20190131153228.w2jb4txsm6d3iabh@gentoo.org
In Reply to: [gentoo-project] pre-GLEP: Gentoo OpenPGP web of trust by "Michał Górny"
1 On 19-01-31 14:56:48, Michał Górny wrote:
2 > Motivation
3 > ==========
4 >
5 > While Gentoo observes the status of OpenPGP web of trust for many years,
6 > there never has been a proper push to get all developers covered by it
7 > or even formalize the rules of signing one another's keys. Apparently,
8 > there are still many Gentoo developers who do not have their
9 > ``@gentoo.org`` UID signed by another active developer. Historically
10 > there were also cases of developers signing others' UIDs without
11 > actually verifying their identity. [#WOT-GRAPH]_ [#WOT-STATS]_
12 >
13 > The web of trust is usually considered secondary to Gentoo's internal
14 > trust system based on key fingerprints stored in LDAP and distributing
15 > via the website. While this system reliably covers all Gentoo
16 > developers, it has three major drawbacks:
17 >
18 > 1. It is entirely customary and therefore requires customized software
19 > to use. In other words, it's of limited usefulness to people outside
20 > Gentoo or does not work out of the box there.
21 s/customary/custom?
22 >
23 > 2. At least in the current form, it is entirely limited to Gentoo
24 > developers. As such, it does not facilitate trust between them
25 > and the outer world.
26 >
27 > 3. It relies on a centralized server whose authenticity is in turn
28 > proved via PKI. This model is generally considered weak.
29 >
30 > Even if this trust system is to stay being central to Gentoo's needs,
31 > it should be beneficial for Gentoo developers start to improving
32 > the OpenPGP web of trust, both for the purpose of improving Gentoo's
33 > position in it and for the purpose of enabling better trust coverage
34 > between Gentoo developers, users and other people.
35 >
36 > Furthermore, the recent copyright policy established in GLEP 76
37 > introduces the necessity of verifying real names of developers. Given
38 > that the Foundation wishes to avoid requesting document scans or other
39 > form of direct verification, the identity verification required
40 > for UID signing can also serve the needs of verifying the name
41 > for Certificate of Origin sign-off purposes. [#GLEP76]_
42 >
43
44 I don't see anything in glep 76 about requiring verification of the
45 signatures. It's my view (as trustee) that assertation by the signer
46 that 'this is my signature' is sufficient. Introducing more
47 verification should not be needed. That said I do think switching to a
48 WoT model has some merit, it's just that the name verification is a
49 side benefit, not a primary reason for the switch.
50
51 > Backwards Compatibility
52 > =======================
53 >
54 > Gentoo does not use any particular web of trust policy at the moment.
55 > Not all of existing signatures conform to the new policy. Therefore,
56 > approving it is going to require, in some cases:
57 >
58 > a. replacing non-conformant user identifiers,
59 >
60 > b. revoking non-conformant signatures.
61 >
62 > Naturally, those actions can only be carried off by cooperating key
63 > owners.
64 >
65 > The policy specifies transitional periods for developers whose keys are
66 > not signed by anyone in the community yet.
67 >
68
69 I do wonder about how this part will be enforced.
70
71
72 --
73 Matthew Thode

Attachments

File name MIME type
signature.asc application/pgp-signature

Replies

Subject Author
Re: [gentoo-project] pre-GLEP: Gentoo OpenPGP web of trust "Andreas K. Huettel" <dilfridge@g.o>
Re: [gentoo-project] pre-GLEP: Gentoo OpenPGP web of trust "Michał Górny" <mgorny@g.o>