1 |
On Sun, 2019-02-17 at 06:56 +0000, Robin H. Johnson wrote: |
2 |
> On Sat, Feb 16, 2019 at 09:40:21AM +0100, Michał Górny wrote: |
3 |
> > Your comments? Anything I've missed? |
4 |
> |
5 |
> Overall, strong +1 to the idea. |
6 |
> |
7 |
> Some questions/remarks: |
8 |
> 0. I will oppose any intentions to tie this proposal to the GLEP76 or other |
9 |
> requirements of disclosing "legal" names. I realize other developers may object |
10 |
> to this, but I don't believe that "legal" names in this context actually gain |
11 |
> us anything of value. |
12 |
|
13 |
That's outside the scope. The key will be explicitly described |
14 |
as verifying the @gentoo.org account ownership only. |
15 |
|
16 |
> 1. Where are non-dev users trying to verify developer keys directly at the |
17 |
> moment? I thought all prior work discouraged that, in favour of verifying |
18 |
> service keys instead. I do see this proposal being of a LOT more use in the |
19 |
> infra-run systems that verify incoming commits/pushes. |
20 |
|
21 |
My main purpose is mail. |
22 |
|
23 |
> 2. The uid signatures should NOT be naively exported to keyservers. They |
24 |
> should use the CAFF method of generating a uid signature, writing it to a file, |
25 |
> and sending it as an encrypted message to the uid address. The uid owner is |
26 |
> responsible for decrypt + sending to servers. This ensures that the email |
27 |
> address and key are still tied together. |
28 |
|
29 |
That sounds like awful requirement of statefulness with requirement of |
30 |
manual manipulation to me, i.e. a can of worms. Do we really need to |
31 |
assume that Gentoo developers will be adding keys they can't use to |
32 |
LDAP? |
33 |
|
34 |
> 3. As raised elsewhere on the thread, what delays should be implicit on a new |
35 |
> dev joining vs having their key auto-signed? |
36 |
|
37 |
I don't see any need for delay. As soon as the user can access LDAP |
38 |
and add his key, he's proven that he owns the @gentoo.org address |
39 |
at the moment. |
40 |
|
41 |
> 4. uid signatures cannot generally exceed the lifetime of a primary key; the L2 |
42 |
> signing service will need to resign regularly. How will this interact with the |
43 |
> CAFF design above? |
44 |
|
45 |
Adds to the 'can of worms'. |
46 |
|
47 |
> 5. You state that the users should trust the L1 key directly. Can you clarify |
48 |
> your intent here to cover the trust? |
49 |
> |
50 |
> The most obvious interpretation to me is trust signature of of the L2 key, with |
51 |
> depth=2 domain=gentoo.org [1]. |
52 |
|
53 |
Yes, something along the lines of that. |
54 |
|
55 |
> |
56 |
> [1] trust signatures domain restrictions are actually regular |
57 |
> expressions; but GnuPG limits the input thereof. Just answering the |
58 |
> query: |
59 |
> > Please enter a domain to restrict this signature, or enter for none. |
60 |
> > Your selection? gentoo.org |
61 |
> |
62 |
> Actually generates: |
63 |
> > :signature packet: algo 22, keyid THROWAWAY |
64 |
> > version 4, created 1550385418, md5len 0, sigclass 0x10 |
65 |
> > digest algo 8, begin of digest f0 e4 |
66 |
> > hashed subpkt 33 len 21 (issuer fpr v4 THROWAWAY) |
67 |
> > hashed subpkt 2 len 4 (sig created 2019-02-17) |
68 |
> > hashed subpkt 5 len 2 (trust signature of depth 2, value 120) |
69 |
> > critical hashed subpkt 6 len 24 (regular expression: "<[^>]+[@.]gentoo\x5c.org>$\0") |
70 |
> > subpkt 16 len 8 (issuer key ID THROWAWAY) |
71 |
> > data: [255 bits] |
72 |
> > data: [256 bits] |
73 |
> |
74 |
> |
75 |
|
76 |
-- |
77 |
Best regards, |
78 |
Michał Górny |