| 1 |
On Sun, 2019-02-17 at 06:56 +0000, Robin H. Johnson wrote: |
| 2 |
> On Sat, Feb 16, 2019 at 09:40:21AM +0100, Michał Górny wrote: |
| 3 |
> > Your comments? Anything I've missed? |
| 4 |
> |
| 5 |
> Overall, strong +1 to the idea. |
| 6 |
> |
| 7 |
> Some questions/remarks: |
| 8 |
> 0. I will oppose any intentions to tie this proposal to the GLEP76 or other |
| 9 |
> requirements of disclosing "legal" names. I realize other developers may object |
| 10 |
> to this, but I don't believe that "legal" names in this context actually gain |
| 11 |
> us anything of value. |
| 12 |
|
| 13 |
That's outside the scope. The key will be explicitly described |
| 14 |
as verifying the @gentoo.org account ownership only. |
| 15 |
|
| 16 |
> 1. Where are non-dev users trying to verify developer keys directly at the |
| 17 |
> moment? I thought all prior work discouraged that, in favour of verifying |
| 18 |
> service keys instead. I do see this proposal being of a LOT more use in the |
| 19 |
> infra-run systems that verify incoming commits/pushes. |
| 20 |
|
| 21 |
My main purpose is mail. |
| 22 |
|
| 23 |
> 2. The uid signatures should NOT be naively exported to keyservers. They |
| 24 |
> should use the CAFF method of generating a uid signature, writing it to a file, |
| 25 |
> and sending it as an encrypted message to the uid address. The uid owner is |
| 26 |
> responsible for decrypt + sending to servers. This ensures that the email |
| 27 |
> address and key are still tied together. |
| 28 |
|
| 29 |
That sounds like awful requirement of statefulness with requirement of |
| 30 |
manual manipulation to me, i.e. a can of worms. Do we really need to |
| 31 |
assume that Gentoo developers will be adding keys they can't use to |
| 32 |
LDAP? |
| 33 |
|
| 34 |
> 3. As raised elsewhere on the thread, what delays should be implicit on a new |
| 35 |
> dev joining vs having their key auto-signed? |
| 36 |
|
| 37 |
I don't see any need for delay. As soon as the user can access LDAP |
| 38 |
and add his key, he's proven that he owns the @gentoo.org address |
| 39 |
at the moment. |
| 40 |
|
| 41 |
> 4. uid signatures cannot generally exceed the lifetime of a primary key; the L2 |
| 42 |
> signing service will need to resign regularly. How will this interact with the |
| 43 |
> CAFF design above? |
| 44 |
|
| 45 |
Adds to the 'can of worms'. |
| 46 |
|
| 47 |
> 5. You state that the users should trust the L1 key directly. Can you clarify |
| 48 |
> your intent here to cover the trust? |
| 49 |
> |
| 50 |
> The most obvious interpretation to me is trust signature of of the L2 key, with |
| 51 |
> depth=2 domain=gentoo.org [1]. |
| 52 |
|
| 53 |
Yes, something along the lines of that. |
| 54 |
|
| 55 |
> |
| 56 |
> [1] trust signatures domain restrictions are actually regular |
| 57 |
> expressions; but GnuPG limits the input thereof. Just answering the |
| 58 |
> query: |
| 59 |
> > Please enter a domain to restrict this signature, or enter for none. |
| 60 |
> > Your selection? gentoo.org |
| 61 |
> |
| 62 |
> Actually generates: |
| 63 |
> > :signature packet: algo 22, keyid THROWAWAY |
| 64 |
> > version 4, created 1550385418, md5len 0, sigclass 0x10 |
| 65 |
> > digest algo 8, begin of digest f0 e4 |
| 66 |
> > hashed subpkt 33 len 21 (issuer fpr v4 THROWAWAY) |
| 67 |
> > hashed subpkt 2 len 4 (sig created 2019-02-17) |
| 68 |
> > hashed subpkt 5 len 2 (trust signature of depth 2, value 120) |
| 69 |
> > critical hashed subpkt 6 len 24 (regular expression: "<[^>]+[@.]gentoo\x5c.org>$\0") |
| 70 |
> > subpkt 16 len 8 (issuer key ID THROWAWAY) |
| 71 |
> > data: [255 bits] |
| 72 |
> > data: [256 bits] |
| 73 |
> |
| 74 |
> |
| 75 |
|
| 76 |
-- |
| 77 |
Best regards, |
| 78 |
Michał Górny |
Archives