From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 141EA138334 for ; Fri, 1 Feb 2019 13:25:20 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id EC8FCE0A9F; Fri, 1 Feb 2019 13:25:18 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 92AD0E0A76 for ; Fri, 1 Feb 2019 13:25:18 +0000 (UTC) Received: from pomiot (d202-252.icpnet.pl [109.173.202.252]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: mgorny) by smtp.gentoo.org (Postfix) with ESMTPSA id ABE21335D04; Fri, 1 Feb 2019 13:25:15 +0000 (UTC) Message-ID: <1549027511.722.0.camel@gentoo.org> Subject: Re: [gentoo-project] pre-GLEP: Gentoo OpenPGP web of trust From: =?UTF-8?Q?Micha=C5=82_G=C3=B3rny?= To: gentoo-project@lists.gentoo.org Date: Fri, 01 Feb 2019 14:25:11 +0100 In-Reply-To: References: <1548943008.796.1.camel@gentoo.org> Organization: Gentoo Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-8FszFArJYcjgXTYmCBtD" X-Mailer: Evolution 3.26.6 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Project discussion list X-BeenThere: gentoo-project@lists.gentoo.org Reply-To: gentoo-project@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply Mime-Version: 1.0 X-Archives-Salt: 943d85eb-638f-4265-926f-56c1a5dc1e19 X-Archives-Hash: b2a7605b0c768633ab2d2981a8180bf2 --=-8FszFArJYcjgXTYmCBtD Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Thu, 2019-01-31 at 12:33 -0500, Rich Freeman wrote: > On Thu, Jan 31, 2019 at 8:56 AM Micha=C5=82 G=C3=B3rny wrote: > >=20 > > 1. It is entirely customary and therefore requires customized software > > to use. In other words, it's of limited usefulness to people outsid= e > > Gentoo or does not work out of the box there. >=20 > This part could be addressed easily by having Gentoo create a signing > key, and automatically signing all dev keys based on LDAP using it. > Then users can trust that one key and inherit trust for the rest. >=20 > Users have to opt into the trust model by trusting somebody's key no > matter what. No reason that couldn't be a centrally-managed one. >=20 > I'll also agree with the comment that physically interacting with > people is not all that easy. There are many areas of the world where > FOSS developers are relatively uncommon, let alone Gentoo ones. > Unless those alternate organizations have VERY broad coverage (such as > an alternative of a notary recognized by any country or something like > that) you're still going to have issues. >=20 > > Verify the person's real name (at least for the user identifier > > used for copyright purposes). This is usually done through > > verifying an identification document with photograph. It is > > a good idea to ask for the document type earlier, and read on > > forgery protections used. >=20 > "usually"? "identification document"? Does this mean that an > appropriate method of verification is entirely up to individual > discretion? If so that makes the process of getting every key signed > fairly trivial as long as two people have (in?)appropriately-rigorous > standards... >=20 I'm sorry, I keep forgetting that you can't rely on people in Gentoo being mature and you need to specify everything as 'MUST' and 'MUST NOT', or otherwise they are going to ignore the spirit of the policy and violate in the worst way permitted by bending the wording. --=20 Best regards, Micha=C5=82 G=C3=B3rny --=-8FszFArJYcjgXTYmCBtD Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQKTBAABCgB9FiEEXr8g+Zb7PCLMb8pAur8dX/jIEQoFAlxUSLhfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDVF QkYyMEY5OTZGQjNDMjJDQzZGQ0E0MEJBQkYxRDVGRjhDODExMEEACgkQur8dX/jI EQqyjA//cD2mk/uvPsfI36ths8f4qbKnhPn1IEkKz/DsvjPevceu32jfK+5FRWZG 7uQCXrLkw9eUKPEt23d6WF6RRsyIcB+rDcu8FIbVsSfRO3HRZ74YSLx7JXmfK8Oo iy5TSXwcQr8YXGK1wypYFF2NgP62i6lZbRjZf/rHrWxsaNqOuv2dq+0mG64LegCu gNdL5VOcEp9WqNGo6GqpQnZTLM0UEeAjUpD4CGsHgq3dE/hzfQaOHZLFfIlp16w5 Ibt7R+Sq+FhRN6heFosDZXsha0ARlDGVSzXtorlaXpW89HdS4tflsvsM5Zfu4N+W ePi7MzuXOuMFR3O9zPkf2Pn66CvOU7aICzMWNYgKsNh9jliKKI4Qdr54gGX+i4z1 YiII8XB8TQ3I31YX9JUdAwA+742U9IuQw5ap6tnz4f5aveFzTbxZ4qjeMMK0aOyt ogxvitiMO/AJ8mhRI5xd5ztIPHbfHPXBTMAQMhlo4A3OuEtj7br/UR2xi9XBaJu+ 9eKtu3Gmo1Yhp2fbXH220I+g/AggrU2NedC4d9MliCHbkHVIT9SyjBr5nYe/LM8i 7MkdUD7b0iFcyhydtKZgUXZ+bQNb//3OFQZUHppR86IrGChcZBQRnYVrIYA4IBwX amdT2N5xBmv39nIQo7ZkIgLeks0go0BFx1b9KUfO6szIsBPP1h4= =3bQM -----END PGP SIGNATURE----- --=-8FszFArJYcjgXTYmCBtD--