Re: [gentoo-project] pre-GLEP: Gentoo OpenPGP web of trust

[Matthew Thode <prometheanfire@gentoo.org>]

[-- Attachment #1: Type: text/plain, Size: 3177 bytes --]

On 19-01-31 14:56:48, Michał Górny wrote:
> Motivation
> ==========
> 
> While Gentoo observes the status of OpenPGP web of trust for many years,
> there never has been a proper push to get all developers covered by it
> or even formalize the rules of signing one another's keys.  Apparently,
> there are still many Gentoo developers who do not have their
> ``@gentoo.org`` UID signed by another active developer.  Historically
> there were also cases of developers signing others' UIDs without
> actually verifying their identity.  [#WOT-GRAPH]_ [#WOT-STATS]_
> 
> The web of trust is usually considered secondary to Gentoo's internal
> trust system based on key fingerprints stored in LDAP and distributing
> via the website.  While this system reliably covers all Gentoo
> developers, it has three major drawbacks:
> 
> 1. It is entirely customary and therefore requires customized software
>    to use.  In other words, it's of limited usefulness to people outside
>    Gentoo or does not work out of the box there.
s/customary/custom?
> 
> 2. At least in the current form, it is entirely limited to Gentoo
>    developers.  As such, it does not facilitate trust between them
>    and the outer world.
> 
> 3. It relies on a centralized server whose authenticity is in turn
>    proved via PKI.  This model is generally considered weak.
> 
> Even if this trust system is to stay being central to Gentoo's needs,
> it should be beneficial for Gentoo developers start to improving
> the OpenPGP web of trust, both for the purpose of improving Gentoo's
> position in it and for the purpose of enabling better trust coverage
> between Gentoo developers, users and other people.
> 
> Furthermore, the recent copyright policy established in GLEP 76
> introduces the necessity of verifying real names of developers.  Given
> that the Foundation wishes to avoid requesting document scans or other
> form of direct verification, the identity verification required
> for UID signing can also serve the needs of verifying the name
> for Certificate of Origin sign-off purposes.  [#GLEP76]_
> 

I don't see anything in glep 76 about requiring verification of the
signatures.  It's my view (as trustee) that assertation by the signer
that 'this is my signature' is sufficient.  Introducing more
verification should not be needed.  That said I do think switching to a
WoT model has some merit, it's just that the name verification is a
side benefit, not a primary reason for the switch.

> Backwards Compatibility
> =======================
> 
> Gentoo does not use any particular web of trust policy at the moment.
> Not all of existing signatures conform to the new policy.  Therefore,
> approving it is going to require, in some cases:
> 
> a. replacing non-conformant user identifiers,
> 
> b. revoking non-conformant signatures.
> 
> Naturally, those actions can only be carried off by cooperating key
> owners.
> 
> The policy specifies transitional periods for developers whose keys are
> not signed by anyone in the community yet.
> 

I do wonder about how this part will be enforced.


-- 
Matthew Thode

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]