1 |
On 3/4/19 8:06 PM, Michał Górny wrote: |
2 |
> Hi, |
3 |
> |
4 |
> Here's a revival of WoT pre-GLEP. I've followed the earlier |
5 |
> suggestions, and rewritten it from scratch with a different perspective. |
6 |
|
7 |
I promised to come back on the ML with some feedback on this matter, so |
8 |
here we go. |
9 |
|
10 |
Since this is a non-mandatory recommendation I question whether it makes |
11 |
sense as a GLEP to begin with, as it can rather be maintained in some |
12 |
other location by a project, but leaving that aside for now there are |
13 |
some structural issues with the proposed GLEP. |
14 |
|
15 |
The GLEP should outline the governance model for how a policy is set, |
16 |
whom update it and what the goals of such a policy is. One of the more |
17 |
important points for the GLEP would be how to use it, basically a |
18 |
permanent URI to use for a policy URI in accordance with rfc4880 section |
19 |
5.2.3.20. This URI needs to allow for versioning to allow for updating |
20 |
in a reasonable manner. If the policy is the GLEP itself, an update will |
21 |
normally be another GLEP so there is no consistency in the URIs nor an |
22 |
easy blackline of the changes between policies. The first policy can of |
23 |
course be attached to a GLEP, but the policy itself belongs in a |
24 |
revision controlled repository to allow for changes, and updating it can |
25 |
be delegated to a project set up for the purpose, possibly with with an |
26 |
explicit, or likely an implisit, involvement with other projects such as |
27 |
Security. |
28 |
|
29 |
As for the policy itself; Such a policy very similar to requirements for |
30 |
Certification Practice Statement (CPS) for certificate authorities as |
31 |
outlined in the CAB Forum Baseline Requirements ( |
32 |
https://www.cabforum.org ). As an example one can look at letsencrypt's |
33 |
CPS at https://letsencrypt.org/documents/isrg-cps-v2.3/. |
34 |
|
35 |
The specific policy for instance does not specify the significance of |
36 |
the various signing levels found in rfc4880 section 5.2.1. One possible |
37 |
interprentation would for instance be that a 0x13 signature can be used |
38 |
for a signature where the developers have met face to face, but a |
39 |
digital verification is allowed to use a 0x12 signature. Either could be |
40 |
allowed to use the more generic 0x10 signature type. |
41 |
|
42 |
But the initial reaction is that this policy itself does not belong as a |
43 |
GLEP, which should be focused on the structure, and the policy itself is |
44 |
not ready, but a project can work on this if a project is created and |
45 |
the URI is determined and linked to a tag in a git repository or the |
46 |
like. A proposed alternative is |
47 |
https://www.gentoo.org/openpgp-signing-policy/v1/ where v1 is mapping to |
48 |
a git tag for an HTTP 302 c.f rfc2616 |
49 |
|
50 |
|
51 |
-- |
52 |
Kristian Fiskerstrand |
53 |
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net |
54 |
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 |