From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 612DC138334 for ; Fri, 1 Feb 2019 14:20:36 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 355EFE0AEF; Fri, 1 Feb 2019 14:20:35 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id E3C09E09BD for ; Fri, 1 Feb 2019 14:20:34 +0000 (UTC) Received: from pomiot (d202-252.icpnet.pl [109.173.202.252]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: mgorny) by smtp.gentoo.org (Postfix) with ESMTPSA id CC4B4335D76; Fri, 1 Feb 2019 14:20:32 +0000 (UTC) Message-ID: <1549030828.722.3.camel@gentoo.org> Subject: Re: [gentoo-project] pre-GLEP: Gentoo OpenPGP web of trust From: =?UTF-8?Q?Micha=C5=82_G=C3=B3rny?= To: gentoo-project@lists.gentoo.org Date: Fri, 01 Feb 2019 15:20:28 +0100 In-Reply-To: <20190131153228.w2jb4txsm6d3iabh@gentoo.org> References: <1548943008.796.1.camel@gentoo.org> <20190131153228.w2jb4txsm6d3iabh@gentoo.org> Organization: Gentoo Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-2rOJnA0rrfFuGlu7f41s" X-Mailer: Evolution 3.26.6 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Project discussion list X-BeenThere: gentoo-project@lists.gentoo.org Reply-To: gentoo-project@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply Mime-Version: 1.0 X-Archives-Salt: c6c30b4f-2b78-464e-8294-720bf7b53fdc X-Archives-Hash: 6e1894163af18b455b86dd2d00325476 --=-2rOJnA0rrfFuGlu7f41s Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Thu, 2019-01-31 at 09:32 -0600, Matthew Thode wrote: > On 19-01-31 14:56:48, Micha=C5=82 G=C3=B3rny wrote: > > Motivation > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > >=20 > > While Gentoo observes the status of OpenPGP web of trust for many years= , > > there never has been a proper push to get all developers covered by it > > or even formalize the rules of signing one another's keys. Apparently, > > there are still many Gentoo developers who do not have their > > ``@gentoo.org`` UID signed by another active developer. Historically > > there were also cases of developers signing others' UIDs without > > actually verifying their identity. [#WOT-GRAPH]_ [#WOT-STATS]_ > >=20 > > The web of trust is usually considered secondary to Gentoo's internal > > trust system based on key fingerprints stored in LDAP and distributing > > via the website. While this system reliably covers all Gentoo > > developers, it has three major drawbacks: > >=20 > > 1. It is entirely customary and therefore requires customized software > > to use. In other words, it's of limited usefulness to people outsid= e > > Gentoo or does not work out of the box there. >=20 > s/customary/custom? > >=20 > > 2. At least in the current form, it is entirely limited to Gentoo > > developers. As such, it does not facilitate trust between them > > and the outer world. > >=20 > > 3. It relies on a centralized server whose authenticity is in turn > > proved via PKI. This model is generally considered weak. > >=20 > > Even if this trust system is to stay being central to Gentoo's needs, > > it should be beneficial for Gentoo developers start to improving > > the OpenPGP web of trust, both for the purpose of improving Gentoo's > > position in it and for the purpose of enabling better trust coverage > > between Gentoo developers, users and other people. > >=20 > > Furthermore, the recent copyright policy established in GLEP 76 > > introduces the necessity of verifying real names of developers. Given > > that the Foundation wishes to avoid requesting document scans or other > > form of direct verification, the identity verification required > > for UID signing can also serve the needs of verifying the name > > for Certificate of Origin sign-off purposes. [#GLEP76]_ > >=20 >=20 > I don't see anything in glep 76 about requiring verification of the > signatures. It's my view (as trustee) that assertation by the signer > that 'this is my signature' is sufficient. Introducing more > verification should not be needed. That said I do think switching to a > WoT model has some merit, it's just that the name verification is a > side benefit, not a primary reason for the switch. There's no plan to verify signatures of all contributors. However, I believe Gentoo developers should naturally go for higher standards.=20 After all, if you don't care at all, why become a developer in the first place? >=20 > > Backwards Compatibility > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > >=20 > > Gentoo does not use any particular web of trust policy at the moment. > > Not all of existing signatures conform to the new policy. Therefore, > > approving it is going to require, in some cases: > >=20 > > a. replacing non-conformant user identifiers, > >=20 > > b. revoking non-conformant signatures. > >=20 > > Naturally, those actions can only be carried off by cooperating key > > owners. > >=20 > > The policy specifies transitional periods for developers whose keys are > > not signed by anyone in the community yet. > >=20 >=20 > I do wonder about how this part will be enforced. >=20 It won't. --=20 Best regards, Micha=C5=82 G=C3=B3rny --=-2rOJnA0rrfFuGlu7f41s Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQKTBAABCgB9FiEEXr8g+Zb7PCLMb8pAur8dX/jIEQoFAlxUVaxfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDVF QkYyMEY5OTZGQjNDMjJDQzZGQ0E0MEJBQkYxRDVGRjhDODExMEEACgkQur8dX/jI EQorsRAAlGG/+dnsM7ExJTWXlD441WLzGaoEXF22MnKStY+dBxyq7z3cJnYQekVo 14rU+6Cqr4Es5DkUBn1tDsQPDzBG9B3rxcHx5vCG8yphhJecpfIL+MsximnakKEF GJM57YTlUzTSuLwL7BxAseu7yH+4hW2ry7SYCrWP/Uo0pIMZ3J+XrNO1uK/baGm0 NHOgn7vNTLFCUyMPP1L6BaUs5lIdyoy+bFd0846LAwYKpWHAk5pQsxK3uyCOSbOI bfnK9vAYo7SL5RJCH29avfycvFkP2XmhM1mjoiNtNbmpeeDlqk6BgpQcgRZO3ePd ysFgpRYCUbKc6K3WzYx3wXI3jZ5nTv7bVMiKeKGJd7FNf17tvnFb24fwt9JeHun9 WeUTQ2j6Dr8K57Lh4J4k+xO0U/KSz+P23I8JGhragclFIIVcsZ98Wq4+C/z8Sg8t KxWTeUiKsstny0qFvr0qkse67OTcZFpFxorgPJu/0Nn8PoGT8ib6ElKL0sG2wcdL kzCPMJGfmTYs/LTcUUz7M2YhODag9rnq00xFUaVePrDNI1jva3cSoDCCrzik3GzW H27atzD2+JIhGrmP493e1ik0iYsFKpg7BtMbprlGBHIYEQq0Bl9mehdAC38FEWZN iM4D7c7cGY5kjfZaNUc7QnzV/l1DygPpLyN8lzYCqlj+Obbr5Kk= =CuWP -----END PGP SIGNATURE----- --=-2rOJnA0rrfFuGlu7f41s--