[gentoo-nfp] PGP fingerprints of Foundation members (item for Trustees meeting)

[gentoo-nfp] PGP fingerprints of Foundation members (item for Trustees meeting)

[Ulrich Mueller]

[-- Attachment #1: Type: text/plain, Size: 517 bytes --]

As discussed with prometheanfire in #gentoo-trustees, I am suggesting
the following as an item for the (September?) Trustees meeting.

Apparently, the Foundation only has a list of PGP key IDs in
https://wiki.gentoo.org/wiki/Foundation:Member_List. Even worse, most
IDs listed there are only 32 bit IDs, providing no security at all.

I would like to ask the Foundation to keep a list with the (160 bit)
PGP fingerprints of its members. (For developers, this information
should be readily available in LDAP.)

Ulrich

[-- Attachment #2: Type: application/pgp-signature, Size: 490 bytes --]

[gentoo-nfp] Re: PGP fingerprints of Foundation members (item for Trustees meeting)

[Roy Bamford]

[-- Attachment #1: Type: text/plain, Size: 1491 bytes --]

On 2017.08.03 12:16, Matthew Thode wrote:
> To be clear, a list of full key IDs with verification (some sort of
> video chat maybe) of the fingerprint.  Said fingerprint would be
> recorded in git (signed commits and pushes to verify trust of the
> fingerprints).
> 
> On August 3, 2017 6:13:13 AM CDT, Ulrich Mueller <ulm@gentoo.org>
> wrote:
> >As discussed with prometheanfire in #gentoo-trustees, I am suggesting
> >the following as an item for the (September?) Trustees meeting.
> >
> >Apparently, the Foundation only has a list of PGP key IDs in
> >https://wiki.gentoo.org/wiki/Foundation:Member_List. Even worse, most
> >IDs listed there are only 32 bit IDs, providing no security at all.
> >
> >I would like to ask the Foundation to keep a list with the (160 bit)
> >PGP fingerprints of its members. (For developers, this information
> >should be readily available in LDAP.)
> >
> >Ulrich
> 
> -- 
> Sent from Kaiten Mail. Please excuse my brevity.


What do we need to prove?

That the the key belongs to a given individual or just that the key on the vote
is the same as the key used for the membership application.?

The former involves a web of trust of some sort and we don't do that for devs
joining the distro.

I suggest that the latter is suffcient but the web of trust would be nice to have.

Agreed tht the 32 bit key IDs need to be improved.
-- 
Regards,

Roy Bamford
(Neddyseagoon) a member of
elections
gentoo-ops
forum-mods

[-- Attachment #2: Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-nfp] Re: PGP fingerprints of Foundation members (item for Trustees meeting)

[Sam Jorna]

[-- Attachment #1: Type: text/plain, Size: 825 bytes --]

On Thu, Aug 03, 2017 at 07:23:11PM +0100, Roy Bamford wrote:
> What do we need to prove?
> 
> That the the key belongs to a given individual or just that the key on the vote
> is the same as the key used for the membership application.?
> 
> The former involves a web of trust of some sort and we don't do that for devs
> joining the distro.
> 
> I suggest that the latter is suffcient but the web of trust would be nice to have.

A web of trust would be nice to establish, but would be difficult
particularly with developers in regions that few other developers are
from (such as myself in Australia - there's only a couple of others in
the country). Video could possibly be used, but I believe there's some
argument over the viability of video "handshaking".

-- 
Sam Jorna (wraeth)
GnuPG Key: D6180C26

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 858 bytes --]

Re: [gentoo-nfp] PGP fingerprints of Foundation members (item for Trustees meeting)

[M. J. Everitt]

[-- Attachment #1.1: Type: text/plain, Size: 370 bytes --]

On 03/08/17 12:13, Ulrich Mueller wrote:
> I would like to ask the Foundation to keep a list with the (160 bit)
> PGP fingerprints of its members. (For developers, this information
> should be readily available in LDAP.)
>
> Ulrich
Imho, the LDAP server in Gentoo is chronically underused .. perhaps
because LDAP is poorly understood, or poorly maintained ...


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: [gentoo-nfp] Re: PGP fingerprints of Foundation members (item for Trustees meeting)

[Andreas K. Huettel]

> > >Apparently, the Foundation only has a list of PGP key IDs in
> > >https://wiki.gentoo.org/wiki/Foundation:Member_List. Even worse, most
> > >IDs listed there are only 32 bit IDs, providing no security at all.
> > >
> > >I would like to ask the Foundation to keep a list with the (160 bit)
> > >PGP fingerprints of its members. (For developers, this information
> > >should be readily available in LDAP.)
> > >
> > >Ulrich
> 
> What do we need to prove?
> 
> That the the key belongs to a given individual or just that the key on the
> vote is the same as the key used for the membership application.?
> 

That the key on the vote is the same as the key used for the membership 
application.

This is impossible without the full fingerprint. 
And with only the short keyid it's trivial to hack.

-- 
Andreas K. Hüttel
dilfridge@gentoo.org
Gentoo Linux developer (council, perl, libreoffice)

Re: [gentoo-nfp] Re: PGP fingerprints of Foundation members (item for Trustees meeting)

[Matthew Thode]

[-- Attachment #1: Type: text/plain, Size: 1180 bytes --]

On 17-08-04 05:51:38, Andreas K. Huettel wrote:
> > > >Apparently, the Foundation only has a list of PGP key IDs in
> > > >https://wiki.gentoo.org/wiki/Foundation:Member_List. Even worse, most
> > > >IDs listed there are only 32 bit IDs, providing no security at all.
> > > >
> > > >I would like to ask the Foundation to keep a list with the (160 bit)
> > > >PGP fingerprints of its members. (For developers, this information
> > > >should be readily available in LDAP.)
> > > >
> > > >Ulrich
> > 
> > What do we need to prove?
> > 
> > That the the key belongs to a given individual or just that the key on the
> > vote is the same as the key used for the membership application.?
> > 
> 
> That the key on the vote is the same as the key used for the membership 
> application.
> 
> This is impossible without the full fingerprint. 
> And with only the short keyid it's trivial to hack.
> 
> -- 
> Andreas K. Hüttel
> dilfridge@gentoo.org
> Gentoo Linux developer (council, perl, libreoffice)
> 

I think we should just record the full key id, would we still need to
also have the fingerprint in that case?

-- 
Matthew Thode (prometheanfire)

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-nfp] Re: PGP fingerprints of Foundation members (item for Trustees meeting)

[Doug Freed]

On Fri, Aug 4, 2017 at 12:09 AM, Matthew Thode
<prometheanfire@gentoo.org> wrote:
> On 17-08-04 05:51:38, Andreas K. Huettel wrote:
>> > > >Apparently, the Foundation only has a list of PGP key IDs in
>> > > >https://wiki.gentoo.org/wiki/Foundation:Member_List. Even worse, most
>> > > >IDs listed there are only 32 bit IDs, providing no security at all.
>> > > >
>> > > >I would like to ask the Foundation to keep a list with the (160 bit)
>> > > >PGP fingerprints of its members. (For developers, this information
>> > > >should be readily available in LDAP.)
>> > > >
>> > > >Ulrich
>> >
>> > What do we need to prove?
>> >
>> > That the the key belongs to a given individual or just that the key on the
>> > vote is the same as the key used for the membership application.?
>> >
>>
>> That the key on the vote is the same as the key used for the membership
>> application.
>>
>> This is impossible without the full fingerprint.
>> And with only the short keyid it's trivial to hack.
>>
>> --
>> Andreas K. Hüttel
>> dilfridge@gentoo.org
>> Gentoo Linux developer (council, perl, libreoffice)
>>
>
> I think we should just record the full key id, would we still need to
> also have the fingerprint in that case?
>
> --
> Matthew Thode (prometheanfire)

64 bit key IDs can still be duplicated.  It's not as easy, but it is
doable.  K_F has a nice blog post on why you really should be checking
full fingerprint:
https://blog.sumptuouscapital.com/2016/08/openpgp-duplicate-keyids-short-vs-long/

-Doug
dwfreed

Re: [gentoo-nfp] Re: PGP fingerprints of Foundation members (item for Trustees meeting)

[Andrew Savchenko]

[-- Attachment #1: Type: text/plain, Size: 1539 bytes --]

On Fri, 4 Aug 2017 09:19:38 +1000 Sam Jorna wrote:
> On Thu, Aug 03, 2017 at 07:23:11PM +0100, Roy Bamford wrote:
> > What do we need to prove?
> > 
> > That the the key belongs to a given individual or just that the key on the vote
> > is the same as the key used for the membership application.?
> > 
> > The former involves a web of trust of some sort and we don't do that for devs
> > joining the distro.
> > 
> > I suggest that the latter is suffcient but the web of trust would be nice to have.
> 
> A web of trust would be nice to establish, but would be difficult
> particularly with developers in regions that few other developers are
> from (such as myself in Australia - there's only a couple of others in
> the country). Video could possibly be used, but I believe there's some
> argument over the viability of video "handshaking".

IMO we should solve problems sequentially, without mixing all
small issues into a single large one.

Right now we need to add full key IDs and fingerprints. It should
be easy to solve: LDAP has fingerprints for all devs and we can
fetch keys of other Foundation members from any SKS servers. If
there are any conflicts, they may be contacted individually for a
fingerprint verification.

Whether we need full web-of-trust for all Foundation members is an
open and separate question and should not be bundled with the
problem above. IMO such verification should not be mandatory for
now, since it will cause more harm than good.

Best regards,
Andrew Savchenko

[-- Attachment #2: Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-nfp] PGP fingerprints of Foundation members (item for Trustees meeting)

[Daniel Campbell]

[-- Attachment #1: Type: text/plain, Size: 1138 bytes --]

On Thu, Aug 03, 2017 at 01:13:13PM +0200, Ulrich Mueller wrote:
> As discussed with prometheanfire in #gentoo-trustees, I am suggesting
> the following as an item for the (September?) Trustees meeting.
> 
> Apparently, the Foundation only has a list of PGP key IDs in
> https://wiki.gentoo.org/wiki/Foundation:Member_List. Even worse, most
> IDs listed there are only 32 bit IDs, providing no security at all.
> 
> I would like to ask the Foundation to keep a list with the (160 bit)
> PGP fingerprints of its members. (For developers, this information
> should be readily available in LDAP.)
> 
> Ulrich

Great idea. I'm willing to update this information: do I need anything beyond
LDAP access + keyserver reference to do this? I also noticed it hasn't been
updated since July; do we have a file somewhere that has non-developer members
to cross-reference?

Changing from Key ID to fingerprint shouldn't be a problem; it'll just
be a wider table.

-- 
Daniel Campbell - Gentoo Developer, Trustee, Treasurer
OpenPGP Key: 0x1EA055D6 @ hkp://keys.gnupg.net
fpr: AE03 9064 AE00 053C 270C  1DE4 6F7A 9091 1EA0 55D6

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-nfp] PGP fingerprints of Foundation members (item for Trustees meeting)

[David Abbott]

On Sun, Nov 26, 2017 at 4:06 PM, Daniel Campbell <zlg@gentoo.org> wrote:
> On Thu, Aug 03, 2017 at 01:13:13PM +0200, Ulrich Mueller wrote:
>> As discussed with prometheanfire in #gentoo-trustees, I am suggesting
>> the following as an item for the (September?) Trustees meeting.
>>
>> Apparently, the Foundation only has a list of PGP key IDs in
>> https://wiki.gentoo.org/wiki/Foundation:Member_List. Even worse, most
>> IDs listed there are only 32 bit IDs, providing no security at all.
>>
>> I would like to ask the Foundation to keep a list with the (160 bit)
>> PGP fingerprints of its members. (For developers, this information
>> should be readily available in LDAP.)
>>
>> Ulrich
>
> Great idea. I'm willing to update this information: do I need anything beyond
> LDAP access + keyserver reference to do this? I also noticed it hasn't been
> updated since July; do we have a file somewhere that has non-developer members
> to cross-reference?

Not that I am aware, their  email is stored somewhere, Robin should know.
I keep a local copy but its not posted anywhere so the spam bots don't get them.

>
> Changing from Key ID to fingerprint shouldn't be a problem; it'll just
> be a wider table.
>
> --
> Daniel Campbell - Gentoo Developer, Trustee, Treasurer
> OpenPGP Key: 0x1EA055D6 @ hkp://keys.gnupg.net
> fpr: AE03 9064 AE00 053C 270C  1DE4 6F7A 9091 1EA0 55D6



-- 
David Abbott (dabbott)
Gentoo Foundation Secretary
http://dev.gentoo.org/~dabbott/

Re: [gentoo-nfp] PGP fingerprints of Foundation members (item for Trustees meeting)

[Daniel Campbell]

[-- Attachment #1: Type: text/plain, Size: 1581 bytes --]

On Sun, Nov 26, 2017 at 01:06:17PM -0800, Daniel Campbell wrote:
> On Thu, Aug 03, 2017 at 01:13:13PM +0200, Ulrich Mueller wrote:
> > As discussed with prometheanfire in #gentoo-trustees, I am suggesting
> > the following as an item for the (September?) Trustees meeting.
> > 
> > Apparently, the Foundation only has a list of PGP key IDs in
> > https://wiki.gentoo.org/wiki/Foundation:Member_List. Even worse, most
> > IDs listed there are only 32 bit IDs, providing no security at all.
> > 
> > I would like to ask the Foundation to keep a list with the (160 bit)
> > PGP fingerprints of its members. (For developers, this information
> > should be readily available in LDAP.)
> > 
> > Ulrich
> 
> Great idea. I'm willing to update this information: do I need anything beyond
> LDAP access + keyserver reference to do this? I also noticed it hasn't been
> updated since July; do we have a file somewhere that has non-developer members
> to cross-reference?
> 
> Changing from Key ID to fingerprint shouldn't be a problem; it'll just
> be a wider table.
> 
> -- 
> Daniel Campbell - Gentoo Developer, Trustee, Treasurer
> OpenPGP Key: 0x1EA055D6 @ hkp://keys.gnupg.net
> fpr: AE03 9064 AE00 053C 270C  1DE4 6F7A 9091 1EA0 55D6

Nevermind, I found where we keep a list and have made a tool to update
it. Once I get the go-ahead I'll update the wiki page and put this
behind us. :)

-- 
Daniel Campbell - Gentoo Developer, Trustee, Treasurer
OpenPGP Key: 0x1EA055D6 @ hkp://keys.gnupg.net
fpr: AE03 9064 AE00 053C 270C  1DE4 6F7A 9091 1EA0 55D6

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]