From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 9599C138334 for ; Thu, 31 Jan 2019 17:33:39 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 349E8E0AE0; Thu, 31 Jan 2019 17:33:38 +0000 (UTC) Received: from mail-pl1-f174.google.com (mail-pl1-f174.google.com [209.85.214.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id E4FB9E0AC2 for ; Thu, 31 Jan 2019 17:33:37 +0000 (UTC) Received: by mail-pl1-f174.google.com with SMTP id 101so1781713pld.6 for ; Thu, 31 Jan 2019 09:33:37 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:content-transfer-encoding; bh=8VhRNs+eMgeryfs3PFw5/Vi8J9em5aE7K7Oblh3xTiY=; b=YgvtOhtPqGLSwdpZaN5OQsFXgtjWDmubFqVO35PPEqiPIzTQmz7FlhN134kNse4uAI ZO1bxDDoSt5HiJODfmaxFkUdCfiKC/dXVaJ0w82CFeVLtWlFggrNqm2Geh+Ef3wCnLnK wRZEXGpqJzSqP/yJXGdl4RVqPZm6RCGO2LqJ5CP/Xqnv+SZmUiarOKjt1iyqXPT1S8qb Tir1yYM8fjF4LpCrUzai40aFktCgLdWvVFsHNVb8r+ifjkgVRK+rT8rPV3jApsfdwAyu LrZ+JGJ8wTPAh6Iilr+KG12C0gcbgL+/7cYPWLQ8KPBucDjgBSCapngLC6R8qhZVPhGW 1B6Q== X-Gm-Message-State: AJcUukdr7Vvzz1beS1Ssajfzb2J+Fx9fV6Zai6LHAoL4/QA/ErRxB+ev Vk9iuqqoCyr2T1sKLa/sj1B9vkDNVGoqiobQ5dhjRs5p X-Google-Smtp-Source: ALg8bN6+pF3PZ+dNzJ92GGl+jEzRTjDxY+g9diKOcFgkCO3WAdkbyCXCo4ZjZOGxR+djcDH9V3eqNFMok7cf9p3cZ28= X-Received: by 2002:a17:902:a58c:: with SMTP id az12mr29127370plb.299.1548956016268; Thu, 31 Jan 2019 09:33:36 -0800 (PST) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Project discussion list X-BeenThere: gentoo-project@lists.gentoo.org Reply-To: gentoo-project@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 References: <1548943008.796.1.camel@gentoo.org> In-Reply-To: <1548943008.796.1.camel@gentoo.org> From: Rich Freeman Date: Thu, 31 Jan 2019 12:33:25 -0500 Message-ID: Subject: Re: [gentoo-project] pre-GLEP: Gentoo OpenPGP web of trust To: gentoo-project Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Archives-Salt: 03046b02-f330-469a-90d7-1d4fdfae31d5 X-Archives-Hash: 81cdc7db137cbb002366f0e5ed3b6f3e On Thu, Jan 31, 2019 at 8:56 AM Micha=C5=82 G=C3=B3rny = wrote: > > 1. It is entirely customary and therefore requires customized software > to use. In other words, it's of limited usefulness to people outside > Gentoo or does not work out of the box there. This part could be addressed easily by having Gentoo create a signing key, and automatically signing all dev keys based on LDAP using it. Then users can trust that one key and inherit trust for the rest. Users have to opt into the trust model by trusting somebody's key no matter what. No reason that couldn't be a centrally-managed one. I'll also agree with the comment that physically interacting with people is not all that easy. There are many areas of the world where FOSS developers are relatively uncommon, let alone Gentoo ones. Unless those alternate organizations have VERY broad coverage (such as an alternative of a notary recognized by any country or something like that) you're still going to have issues. > Verify the person's real name (at least for the user identifier > used for copyright purposes). This is usually done through > verifying an identification document with photograph. It is > a good idea to ask for the document type earlier, and read on > forgery protections used. "usually"? "identification document"? Does this mean that an appropriate method of verification is entirely up to individual discretion? If so that makes the process of getting every key signed fairly trivial as long as two people have (in?)appropriately-rigorous standards... --=20 Rich