From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 1474E138334 for ; Fri, 1 Feb 2019 00:09:27 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 69FFBE0B42; Fri, 1 Feb 2019 00:09:24 +0000 (UTC) Received: from mail-pg1-f172.google.com (mail-pg1-f172.google.com [209.85.215.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 245E0E0AFC for ; Fri, 1 Feb 2019 00:09:23 +0000 (UTC) Received: by mail-pg1-f172.google.com with SMTP id j10so2085865pga.1 for ; Thu, 31 Jan 2019 16:09:23 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=Nk1a3zSpi6qEPJwv46JSgr7l7psJsVovLL2vkHEFmH0=; b=awi6XV38zEGoF81JwpkYCJOFyTCknc8fi0d0bYSxiGBGsoHxdqIXhQ8UqruQXDW5vq bLQeOcTU7GY+qM34ZBvoUnwWVdhm0ou10anNPWy+rpwZWs7vL11G/TfJewMSMJB9SzZW rkgvKt7NgYPNX0iBxlPc6NsMZAiyZenpg4Z7zRdcs+iD7gm4Z7shbAFTXsLVylFiDd28 5/BfnAp9qF0Qd89y+4X/IsgdZCxQG/fgbE7R0K7ueOx+PBBStOhetqisIDJ5NVIKYPJM uYVnRIF3Hrt7326dwiqlKLEuLk4BEIpwwa8XENPQKN/A+dMui0HWRwjlbe/69hvBbB0X CMow== X-Gm-Message-State: AHQUAuazgIOJsEGS1YvouO6Tp8N0lvOlGhIqBRejnHYagHXLpyIAgpHQ 4IvVKTQL1Zjp6MEDK9xhefcpi4vZjRKnBpTXaqcwNg== X-Google-Smtp-Source: AHgI3IZAd7bmsjYq4uYOFB0HrvYn6DXE+nSKZ/66XFgjH2TZsGhQ+ioNWievsfuRaJ80SPt18lWPriNyXvtqlwQQSdw= X-Received: by 2002:a63:4b60:: with SMTP id k32mr79624pgl.186.1548979762434; Thu, 31 Jan 2019 16:09:22 -0800 (PST) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Project discussion list X-BeenThere: gentoo-project@lists.gentoo.org Reply-To: gentoo-project@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 References: <1548943008.796.1.camel@gentoo.org> <337a117a-7b97-2000-f88e-2bd80cc15faa@gentoo.org> In-Reply-To: From: Rich Freeman Date: Thu, 31 Jan 2019 19:09:11 -0500 Message-ID: Subject: Re: [gentoo-project] pre-GLEP: Gentoo OpenPGP web of trust To: gentoo-project Content-Type: text/plain; charset="UTF-8" X-Archives-Salt: 872b8b94-1ef9-42da-b453-fd37ea2e605d X-Archives-Hash: 2be4c2432d87d4b8a3b2cf7700264532 On Thu, Jan 31, 2019 at 5:49 PM Michael Orlitzky wrote: > > On 1/31/19 4:40 PM, Alec Warner wrote: > > > > So we have a website that lists all of our developers and their gpg-fps > > already. I realize that mgorny will object that this is a 'nonstandard > > tool' or somesuch, but I think from my POV its a pretty straightforward > > tool. Obviously it requires trusting www.gentoo.org > > and our CA (of which we do not run our own, so > > it is letsencrypt, IIRC.) > > > > The problem with the PKI is that even if LetsEncrypt is trustworthy, > everyone else that you trust is not. If you're in whatever theocracy is > in vogue for murdering its citizens this week, then you want to be sure > that your government can't forge a certificate for www.gentoo.org (which > says the "f" word a lot) on-the-fly. Of course, they all can. The list > of trusted CAs in modern browsers is basically a "who's who" of the > least trustworthy people on Earth. These same governments print up the IDs the GLEP proposes that developers verify. Also, while governments like the US/EU might put a ton of security features in those IDs, I suspect that quite a few governments issue IDs with about as many anti-tamper features as a library card. With a WoT the chain is as strong as its weakest link. > With the web of trust, I am at least trusting someone who is trusting > someone who is trusting someone who is trusting someone that I've met in > person. You use the word "trust," but keep in mind the only thing that last person is verifying is that: 1. The person has an ID with a matching ID (issued by that theocracy that murders its citizens). 2. The person has control over the email address somebody presented to the recruiters. That would be the one that is reached via telecom lines that go through the ISP controlled by that theocracy that murders its citizens. The person signing off on somebody's key won't be a close personal friend of the applicant. They won't have been their mentor for the last six months. They won't be on the same project, reviewing their commits. They'll be a random developer who just happens to live somewhat near the applicant. The actual mentors/etc would have been in communication solely by email/IRC and will live on the other side of the planet and probably will never actually meet the applicant in person. Now, perhaps the actual mentor will verify IDs/etc via webcam or something like that, but you're still subject to the vulnerability of the local government all the same, and if the mentor doesn't normally interact via webcam they really won't know if the person on the other end of the line is the person they've been interacting with all along. If the threat model is state actors seeking to infiltrate Gentoo, then the proposed methods are inadequate. If the threat model is something more likely such as misc vandals/etc, then we can probably relax things further. -- Rich