| 1 |
On 3/4/19 8:06 PM, Michał Górny wrote: |
| 2 |
> Hi, |
| 3 |
> |
| 4 |
> Here's a revival of WoT pre-GLEP. I've followed the earlier |
| 5 |
> suggestions, and rewritten it from scratch with a different perspective. |
| 6 |
|
| 7 |
I promised to come back on the ML with some feedback on this matter, so |
| 8 |
here we go. |
| 9 |
|
| 10 |
Since this is a non-mandatory recommendation I question whether it makes |
| 11 |
sense as a GLEP to begin with, as it can rather be maintained in some |
| 12 |
other location by a project, but leaving that aside for now there are |
| 13 |
some structural issues with the proposed GLEP. |
| 14 |
|
| 15 |
The GLEP should outline the governance model for how a policy is set, |
| 16 |
whom update it and what the goals of such a policy is. One of the more |
| 17 |
important points for the GLEP would be how to use it, basically a |
| 18 |
permanent URI to use for a policy URI in accordance with rfc4880 section |
| 19 |
5.2.3.20. This URI needs to allow for versioning to allow for updating |
| 20 |
in a reasonable manner. If the policy is the GLEP itself, an update will |
| 21 |
normally be another GLEP so there is no consistency in the URIs nor an |
| 22 |
easy blackline of the changes between policies. The first policy can of |
| 23 |
course be attached to a GLEP, but the policy itself belongs in a |
| 24 |
revision controlled repository to allow for changes, and updating it can |
| 25 |
be delegated to a project set up for the purpose, possibly with with an |
| 26 |
explicit, or likely an implisit, involvement with other projects such as |
| 27 |
Security. |
| 28 |
|
| 29 |
As for the policy itself; Such a policy very similar to requirements for |
| 30 |
Certification Practice Statement (CPS) for certificate authorities as |
| 31 |
outlined in the CAB Forum Baseline Requirements ( |
| 32 |
https://www.cabforum.org ). As an example one can look at letsencrypt's |
| 33 |
CPS at https://letsencrypt.org/documents/isrg-cps-v2.3/. |
| 34 |
|
| 35 |
The specific policy for instance does not specify the significance of |
| 36 |
the various signing levels found in rfc4880 section 5.2.1. One possible |
| 37 |
interprentation would for instance be that a 0x13 signature can be used |
| 38 |
for a signature where the developers have met face to face, but a |
| 39 |
digital verification is allowed to use a 0x12 signature. Either could be |
| 40 |
allowed to use the more generic 0x10 signature type. |
| 41 |
|
| 42 |
But the initial reaction is that this policy itself does not belong as a |
| 43 |
GLEP, which should be focused on the structure, and the policy itself is |
| 44 |
not ready, but a project can work on this if a project is created and |
| 45 |
the URI is determined and linked to a tag in a git repository or the |
| 46 |
like. A proposed alternative is |
| 47 |
https://www.gentoo.org/openpgp-signing-policy/v1/ where v1 is mapping to |
| 48 |
a git tag for an HTTP 302 c.f rfc2616 |
| 49 |
|
| 50 |
|
| 51 |
-- |
| 52 |
Kristian Fiskerstrand |
| 53 |
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net |
| 54 |
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 |
Archives