Re: [gentoo-project] pre-GLEP: Gentoo OpenPGP web of trust

[Rich Freeman <rich0@gentoo.org>]

On Thu, Jan 31, 2019 at 5:49 PM Michael Orlitzky <mjo@gentoo.org> wrote:
>
> On 1/31/19 4:40 PM, Alec Warner wrote:
> >
> > So we have a website that lists all of our developers and their gpg-fps
> > already. I realize that mgorny will object that this is a 'nonstandard
> > tool' or somesuch, but I think from my POV its a pretty straightforward
> > tool. Obviously it requires trusting www.gentoo.org
> > <http://www.gentoo.org> and our CA (of which we do not run our own, so
> > it is letsencrypt, IIRC.)
> >
>
> The problem with the PKI is that even if LetsEncrypt is trustworthy,
> everyone else that you trust is not. If you're in whatever theocracy is
> in vogue for murdering its citizens this week, then you want to be sure
> that your government can't forge a certificate for www.gentoo.org (which
> says the "f" word a lot) on-the-fly. Of course, they all can. The list
> of trusted CAs in modern browsers is basically a "who's who" of the
> least trustworthy people on Earth.

These same governments print up the IDs the GLEP proposes that
developers verify.

Also, while governments like the US/EU might put a ton of security
features in those IDs, I suspect that quite a few governments issue
IDs with about as many anti-tamper features as a library card.  With a
WoT the chain is as strong as its weakest link.

> With the web of trust, I am at least trusting someone who is trusting
> someone who is trusting someone who is trusting someone that I've met in
> person.

You use the word "trust," but keep in mind the only thing that last
person is verifying is that:

1.  The person has an ID with a matching ID (issued by that theocracy
that murders its citizens).
2.  The person has control over the email address somebody presented
to the recruiters.  That would be the one that is reached via telecom
lines that go through the ISP controlled by that theocracy that
murders its citizens.

The person signing off on somebody's key won't be a close personal
friend of the applicant.  They won't have been their mentor for the
last six months.  They won't be on the same project, reviewing their
commits.  They'll be a random developer who just happens to live
somewhat near the applicant.  The actual mentors/etc would have been
in communication solely by email/IRC and will live on the other side
of the planet and probably will never actually meet the applicant in
person.

Now, perhaps the actual mentor will verify IDs/etc via webcam or
something like that, but you're still subject to the vulnerability of
the local government all the same, and if the mentor doesn't normally
interact via webcam they really won't know if the person on the other
end of the line is the person they've been interacting with all along.

If the threat model is state actors seeking to infiltrate Gentoo, then
the proposed methods are inadequate.  If the threat model is something
more likely such as misc vandals/etc, then we can probably relax
things further.

-- 
Rich