On Sun, 2018-08-19 at 22:01 +0000, Robin H. Johnson wrote:
> On Sun, Aug 19, 2018 at 02:42:23PM -0400, Aaron Bauman wrote:
> > Gentoo-bug: https://bugs.gentoo.org/659620
> 
> I have some discussion items & questions regarding the details of the
> proposal. The questions are explicitly marked with 'Question:' so that
> they stand out. I have asked questions in both roles I hold: Treasurer
> of the Foundation & lead of the Infrastructure team.
> 
> 1. Quantity:
> (this is mostly to answer other people asking on the lists)
> The Foundation has specified 150 units as the quantity for price
> quoting, despite 176 developers being listed as active in LDAP. There
> are multiple factors here:
> - The Foundation did not want to commit to buying more keys than needed
> - This may be an impetus for inactive developers to retire
> - 151 developers have access to repo/gentoo.git
> - 140 unique developers committed to any gentoo.org Git/CVS in the last
>   6 months (123 in the last 3 months).

Also note that some developer have hardware tokens already, or stated
that they will get one themselves once GF selects the type.

> 4. Functionality:
> Infra discussions about a potential single-sign-on system for
> authentication (not commit signing) seems to be converging around OATH &
> U2F systems, or the upcoming FIDO2 standard [expect new keys to be
> available later this year or early next year]. The Nitrokey Pro will
> offer OpenPGP only, while the YubiKey FIPS will offer both OpenPGP &
> U2F. 

For the record, I'm not convinced about using a single device for both
purposes.  Given that some developers are using OpenPGP to encrypt
password stores, and that we are testing support for 2-step
authentication for SSH, having the same device provide both elements
might defeat the purpose of the exercise.

> 5. Ownership:
> As Treasurer, I would like to point out that this hardware will remain
> the property of the Foundation for 6 years. This is the relevant
> depreciation lifespan permitted by IRS regulations. The shipping cost
> however to return an individual unit will exceed the remaining value
> after 2 years (depending on the purchasing quarter, by the end of the
> second financial year, 43-61% of the unit value will be depreciated).
> 
> 5.1 Question (as Treasurer): As part of accepting the motions to purchase,
> the Board must implement written requirements for developers to return
> the keys, at their own cost, if the developer retires within 2.5 years
> of ordering the unit.

As mentioned in the other mail, should we account for financial
reimbursement in case developer doesn't return / loses the device? 
Furthermore, should we permit developers to keep it if they reimburse
the Foundation?  I'm not sure how far this is legally feasible.

> (snip parts of quotes)
> > All, this email will serve as a comparison between the two vendors which
> > have provided quotes to the Foundation. This does not include Alice's
> > proposal as U2FZero is currently out of stock in the United States and
> > does not seem to offer any availability in Asia.
> 
> 6. Question: Other Vendors
> Are there other vendors we wish to consider or specifically exclude,
> such as Feitan? Not saying we should include them, just cover that
> people are aware of them.

I've asked the same on IRC.  I think it might have been a better idea to
first officially announce that we're looking for the hardware with some
basic requirements, and let people reply with suggestions/offers.

> 8. As noted on IRC, please include VAT in the estimation for Yubikey.
> For Nitrokey it's covered in their FAQ:
> https://www.nitrokey.com/documentation/frequently-asked-questions#pricing-and-vat

Is anyone aware if Gentoo eV is capable of getting a VAT return for
this?  If that were the case, it might be a better idea to pass it over
to them.

-- 
Best regards,
Michał Górny