From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 87B92138334 for ; Mon, 4 Mar 2019 19:57:30 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 87BC7E0895; Mon, 4 Mar 2019 19:57:29 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 34FA7E0894 for ; Mon, 4 Mar 2019 19:57:29 +0000 (UTC) Received: from pomiot (d202-252.icpnet.pl [109.173.202.252]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: mgorny) by smtp.gentoo.org (Postfix) with ESMTPSA id 1BB9E335D19; Mon, 4 Mar 2019 19:57:25 +0000 (UTC) Message-ID: <64a20cecb179946aae99a69373e95a9d4681766f.camel@gentoo.org> Subject: Re: [gentoo-project] [RFC pre-GLEP] Identity verification via OpenPGP WoT From: =?UTF-8?Q?Micha=C5=82_G=C3=B3rny?= To: gentoo-project@lists.gentoo.org Date: Mon, 04 Mar 2019 20:57:22 +0100 In-Reply-To: References: <2b01793242c46009a37bb07c6725770ebabd82d7.camel@gentoo.org> Organization: Gentoo Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-cTZDxE0OVVhJsh9vo37V" User-Agent: Evolution 3.30.5 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Project discussion list X-BeenThere: gentoo-project@lists.gentoo.org Reply-To: gentoo-project@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 X-Archives-Salt: 9c59f77d-207f-4b21-b7d3-ce6a724ea8d2 X-Archives-Hash: a6d26faeff2e70be8afd8af55f00e2e1 --=-cTZDxE0OVVhJsh9vo37V Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Mon, 2019-03-04 at 14:18 -0500, Rich Freeman wrote: > On Mon, Mar 4, 2019 at 2:06 PM Micha=C5=82 G=C3=B3rny = wrote: >=20 > > Furthermore, > > it is recommended that the signer includes the URL of this GLEP > > as the certification policy URL (``--cert-policy-url`` in GnuPG), > > and appropriately indicates certification level (see > > ``--default-cert-level`` in GnuPG). >=20 > Rather than say "appropriately" why not explicitly indicate which > certification level to use? Otherwise the distinction between 2/3 is > going to become a point of debate. If you're going to standardize the > URL it seems like standardizing the level makes sense (IMO specifying > the URL for disambiguation is a great idea). Well, I believe both 2 and 3 can be valid, depending on how minutely you've verified the document. I'd say you'd say 3 if you really carefully ensured all three points (including multiple anti-counterfeit measures); 2 if you just looked if the document looks reasonable but failed to prepare. > > 1. Obtain a hardcopy of signee's OpenPGP key fingerprint. The signer > > must afterwards use the fingerprint to verify the authenticity > > of the key being used. >=20 > This seems needlessly specific. How about just requiring that they > verify the fingerprint of the key to be signed with the person signing > it. That could mean being handed a hardcopy, but it it could just > mean being shown the fingerprint and transcribing it, or comparing it > on-screen, etc. Obviously it needs to be communicated via a > reasonably tamper-proof mechanism. >=20 > This just seems to necessitate printing out keys when other methods > might be just as secure. Maybe focus more on the what than the how. Sorry, non-native English speaker here. I thought the intent is clear from the sentence, and people are going to be able to figure out that the purpose is to have tamper-proof value here. --=20 Best regards, Micha=C5=82 G=C3=B3rny --=-cTZDxE0OVVhJsh9vo37V Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQKTBAABCgB9FiEEXr8g+Zb7PCLMb8pAur8dX/jIEQoFAlx9gyJfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDVF QkYyMEY5OTZGQjNDMjJDQzZGQ0E0MEJBQkYxRDVGRjhDODExMEEACgkQur8dX/jI EQrAGxAAsyQNbJvvUjptOHunIDzwFwxsNAeF2J2YNOBTTm1av7cOG3QeVcY3spwa s4Isdg0MD+BkqFMNEGsLs4Y+b7RNqchxKSevuLz+sNtFxVvhJe7S4lHhoVdqwCud 9W3P1SdAHbpGkdtnXJHlCHXxQce2Ae1C+HZmrlKjQXNL20dwOuIbOiW68TBFiaqM JPydmG7k3ctiZWvDuY93WiW0j9xXqE3m1quc64BkVepYW3UclLqp1675WIju7Fmw LwxDK4wak3cU2poXUO2u+sFihvNGTNka2MbBKbHoUuyv+H6yW15ktuxzJUVUerMQ 5nJ1MHJ3o3Ad+FPSIAMS2s/2avZW/pAoUl1thr+qGNVEnhw6UJq2W2APERfGOrig DGO1+xY5rc6dl/+5GY2GHa2y0kBB93nLfJ2qEMUTxGAHTHJ1Ana2awIDaqMOznTs 1rvoorpkgDhY3X3ed0prnPoYEZ1MbIescb5E6lZ+8S7tTZGu/9R7CpNQO7V8alYJ LSGHX5zpXNBNcqmAvI8uU+GXTkSCM3DM1rP39X5pRLfwpUu2hbERaPeEAPv0fchl d4QispOvw2M6qwdFH82q43YIWPVvLO9Q94afznHs7bjcCF0kagsQpor5Ks0S9MeY akH7/BvM191gw0R7x0QDlDatYvuCRQVB+o8h+gejacgqQLdj2Y4= =6agP -----END PGP SIGNATURE----- --=-cTZDxE0OVVhJsh9vo37V--