On 2/17/19 7:54 PM, Matthew Thode wrote:
> On 19-02-17 09:55:54, Michał Górny wrote:
>> On Sun, 2019-02-17 at 06:56 +0000, Robin H. Johnson wrote:
>>> On Sat, Feb 16, 2019 at 09:40:21AM +0100, Michał Górny wrote:
>>> 2. The uid signatures should NOT be naively exported to keyservers. They
>>> should use the CAFF method of generating a uid signature, writing it to a file,
>>> and sending it as an encrypted message to the uid address. The uid owner is
>>> responsible for decrypt + sending to servers. This ensures that the email
>>> address and key are still tied together.
>> That sounds like awful requirement of statefulness with requirement of
>> manual manipulation to me, i.e. a can of worms.  Do we really need to
>> assume that Gentoo developers will be adding keys they can't use to
>> LDAP?
>>
> It could also be a bad actor, though that comes with other concerns.
> The CAFF method is the standard way of handling signatures, switching to
> ldap also switches our trust store to be based on ldap, not developer
> keys (anything can be in ldap).

Different threat models, if you assume the malicious actor can edit the
fingerprint in LDAP to begin with they have access to the email itself,
and we control the email address since only the @gentoo.org UID is signed.

-- 
Kristian Fiskerstrand
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3