Gentoo Archives: gentoo-project

From: Rich Freeman <rich0@g.o>
To: gentoo-project <gentoo-project@l.g.o>
Subject: Re: [gentoo-project] [RFC pre-GLEP] Identity verification via OpenPGP WoT
Date: Mon, 04 Mar 2019 20:29:48
Message-Id: CAGfcS_noaYEtqkUGWHhMB2uw3SJhXhBQOPyp5QcNMqbr8X6WJQ@mail.gmail.com
In Reply to: Re: [gentoo-project] [RFC pre-GLEP] Identity verification via OpenPGP WoT by "Michał Górny"
1 On Mon, Mar 4, 2019 at 2:57 PM Michał Górny <mgorny@g.o> wrote:
2 >
3 > On Mon, 2019-03-04 at 14:18 -0500, Rich Freeman wrote:
4 > > On Mon, Mar 4, 2019 at 2:06 PM Michał Górny <mgorny@g.o> wrote:
5 > >
6 > > > Furthermore,
7 > > > it is recommended that the signer includes the URL of this GLEP
8 > > > as the certification policy URL (``--cert-policy-url`` in GnuPG),
9 > > > and appropriately indicates certification level (see
10 > > > ``--default-cert-level`` in GnuPG).
11 > >
12 > > Rather than say "appropriately" why not explicitly indicate which
13 > > certification level to use? Otherwise the distinction between 2/3 is
14 > > going to become a point of debate. If you're going to standardize the
15 > > URL it seems like standardizing the level makes sense (IMO specifying
16 > > the URL for disambiguation is a great idea).
17 >
18 > Well, I believe both 2 and 3 can be valid, depending on how minutely
19 > you've verified the document. I'd say you'd say 3 if you really
20 > carefully ensured all three points (including multiple anti-counterfeit
21 > measures); 2 if you just looked if the document looks reasonable but
22 > failed to prepare.
23
24 You said "The verification must include, to the best of signer's
25 abilities" which implies that #2 isn't really allowed in this case.
26
27 If we want to leave it up to individual discretion I guess it is fine.
28 Just expect variation. What counts as #3 for one person might be
29 different from another's judgment. The gpg docs say as much as well.
30 If you do want some standard applied then maybe be explicit.
31
32 > > > 1. Obtain a hardcopy of signee's OpenPGP key fingerprint. The signer
33 > > > must afterwards use the fingerprint to verify the authenticity
34 > > > of the key being used.
35 > >
36 > > This seems needlessly specific. How about just requiring that they
37 > > verify the fingerprint of the key to be signed with the person signing
38 > > it. That could mean being handed a hardcopy, but it it could just
39 > > mean being shown the fingerprint and transcribing it, or comparing it
40 > > on-screen, etc. Obviously it needs to be communicated via a
41 > > reasonably tamper-proof mechanism.
42 > >
43 > > This just seems to necessitate printing out keys when other methods
44 > > might be just as secure. Maybe focus more on the what than the how.
45 >
46 > Sorry, non-native English speaker here. I thought the intent is clear
47 > from the sentence, and people are going to be able to figure out that
48 > the purpose is to have tamper-proof value here.
49
50 The word "hardcopy" generally means something printed on paper. A
51 non-paper-based process would not involve a "hardcopy" of anything.
52
53 If the intent was to just convey the need to verify the fingerprint,
54 then maybe reword to:
55
56 1. Obtain the signee's OpenPGP key fingerprint. The signer
57 must use the fingerprint to verify the authenticity
58 of the key being used.
59
60 I removed "hardcopy" and "afterwards." We don't care what media is
61 used to transfer the fingerprint if it is secure (this is in-person,
62 so I think we can leave that detail out). We really don't care the
63 order the various steps happen in either - if they want to check the
64 fingerprint before looking at the photo ID/etc that is fine.
65
66 --
67 Rich

Replies