1 |
On 19-01-31 14:56:48, Michał Górny wrote: |
2 |
> Motivation |
3 |
> ========== |
4 |
> |
5 |
> While Gentoo observes the status of OpenPGP web of trust for many years, |
6 |
> there never has been a proper push to get all developers covered by it |
7 |
> or even formalize the rules of signing one another's keys. Apparently, |
8 |
> there are still many Gentoo developers who do not have their |
9 |
> ``@gentoo.org`` UID signed by another active developer. Historically |
10 |
> there were also cases of developers signing others' UIDs without |
11 |
> actually verifying their identity. [#WOT-GRAPH]_ [#WOT-STATS]_ |
12 |
> |
13 |
> The web of trust is usually considered secondary to Gentoo's internal |
14 |
> trust system based on key fingerprints stored in LDAP and distributing |
15 |
> via the website. While this system reliably covers all Gentoo |
16 |
> developers, it has three major drawbacks: |
17 |
> |
18 |
> 1. It is entirely customary and therefore requires customized software |
19 |
> to use. In other words, it's of limited usefulness to people outside |
20 |
> Gentoo or does not work out of the box there. |
21 |
s/customary/custom? |
22 |
> |
23 |
> 2. At least in the current form, it is entirely limited to Gentoo |
24 |
> developers. As such, it does not facilitate trust between them |
25 |
> and the outer world. |
26 |
> |
27 |
> 3. It relies on a centralized server whose authenticity is in turn |
28 |
> proved via PKI. This model is generally considered weak. |
29 |
> |
30 |
> Even if this trust system is to stay being central to Gentoo's needs, |
31 |
> it should be beneficial for Gentoo developers start to improving |
32 |
> the OpenPGP web of trust, both for the purpose of improving Gentoo's |
33 |
> position in it and for the purpose of enabling better trust coverage |
34 |
> between Gentoo developers, users and other people. |
35 |
> |
36 |
> Furthermore, the recent copyright policy established in GLEP 76 |
37 |
> introduces the necessity of verifying real names of developers. Given |
38 |
> that the Foundation wishes to avoid requesting document scans or other |
39 |
> form of direct verification, the identity verification required |
40 |
> for UID signing can also serve the needs of verifying the name |
41 |
> for Certificate of Origin sign-off purposes. [#GLEP76]_ |
42 |
> |
43 |
|
44 |
I don't see anything in glep 76 about requiring verification of the |
45 |
signatures. It's my view (as trustee) that assertation by the signer |
46 |
that 'this is my signature' is sufficient. Introducing more |
47 |
verification should not be needed. That said I do think switching to a |
48 |
WoT model has some merit, it's just that the name verification is a |
49 |
side benefit, not a primary reason for the switch. |
50 |
|
51 |
> Backwards Compatibility |
52 |
> ======================= |
53 |
> |
54 |
> Gentoo does not use any particular web of trust policy at the moment. |
55 |
> Not all of existing signatures conform to the new policy. Therefore, |
56 |
> approving it is going to require, in some cases: |
57 |
> |
58 |
> a. replacing non-conformant user identifiers, |
59 |
> |
60 |
> b. revoking non-conformant signatures. |
61 |
> |
62 |
> Naturally, those actions can only be carried off by cooperating key |
63 |
> owners. |
64 |
> |
65 |
> The policy specifies transitional periods for developers whose keys are |
66 |
> not signed by anyone in the community yet. |
67 |
> |
68 |
|
69 |
I do wonder about how this part will be enforced. |
70 |
|
71 |
|
72 |
-- |
73 |
Matthew Thode |