From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 77769138334 for ; Sun, 17 Feb 2019 03:45:17 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 0FA44E08A5; Sun, 17 Feb 2019 03:45:16 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id C9C7EE089C for ; Sun, 17 Feb 2019 03:45:15 +0000 (UTC) Received: from localhost (pool-108-45-63-132.washdc.fios.verizon.net [108.45.63.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: bman) by smtp.gentoo.org (Postfix) with ESMTPSA id 1AAB4335C6F for ; Sun, 17 Feb 2019 03:45:13 +0000 (UTC) Date: Sat, 16 Feb 2019 22:45:10 -0500 From: Aaron Bauman To: gentoo-project@lists.gentoo.org Subject: Re: [gentoo-project] [RFC] OpenPGP Authority Keys to provide validity of developer/service keys Message-ID: <20190217034510.GD1413@monkey> References: <1550306421.831.16.camel@gentoo.org> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Project discussion list X-BeenThere: gentoo-project@lists.gentoo.org Reply-To: gentoo-project@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="yudcn1FV7Hsu/q59" Content-Disposition: inline In-Reply-To: <1550306421.831.16.camel@gentoo.org> User-Agent: Mutt/1.11.3 (2019-02-01) X-Archives-Salt: 7bcde4da-59a7-4882-8b46-bff50055db4a X-Archives-Hash: d38df20903498c431c2a0354dba31f9a --yudcn1FV7Hsu/q59 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Feb 16, 2019 at 09:40:21AM +0100, Micha=C5=82 G=C3=B3rny wrote: > Hi, >=20 > Following the replies to my earlier GLEP, I'd like to separately discuss > introducing Authority Keys to provide validity proof for @gentoo.org > UIDs. >=20 I believe you will find resistance from the usual crowd who are advocating for key signing with validation of some form of identification. However, I would offer that this identification requirement does not help determine or predict intent. Aside from that, I like the proposal and find it "meets in the middle" of any other approaches out there. As it stands, users trust Gentoo as a distribution and will most likely extend that trust with this process in place. Regarding the overall intent of keys and key signing, the goal would be to inherently trust someone of which no ID is going to assist anyone in. It is a perpetual process like any normal relationship and can be altered at anytime. This falls back on Gentoo to ensure we can trust those developers in some form. I would offer that a potential "probationary" period be established before that individuals key is signed by the distribution and distributed. Possibly, it is a part of the recruitment process or may need to be extended further. Ultimately, the recruiters and mentors hold the line for the protection of the distribution when on-boarding new developers. I like it... let's do it! --=20 Cheers, Aaron --yudcn1FV7Hsu/q59 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAABCAAdFiEEiDRK3jyVBE/RkymqpRQw84X1dt0FAlxo2MYACgkQpRQw84X1 dt0WkAf/ddzLYE1+A2Bd6KkNNOlv7J2cdUGk90v+wwCN8d/opI4NSebtLLWeNxo+ HAMPhJwlPlgxw2O4sH9fJ8cZi4KgBasKETj9EyZWaar/NXds/Y7pP+tlha03owaj 2gan/1hNU1q3cnivHaaGmlW+ktX9KnrFzSkGvsFzzPJ2Rnh2MOyLeXS4SW0EqPG6 lsmnODHdvbo7T/M+1M0HHbMRbols6ml2KB7B7j8Lgg8+fM5RSelxHdHdqhnlf1Wd Hrz2FT2qSBkxrqbXKVvjeaffdLaurtMav4n9rkF78fE09s7Rl6cEIRa9QWf6mt46 moTS+6eLSBOREcHHlISdCJ0t7R4kXA== =5Jpc -----END PGP SIGNATURE----- --yudcn1FV7Hsu/q59--