From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 7906F138334 for ; Thu, 31 Jan 2019 22:49:26 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 38F6FE0ACF; Thu, 31 Jan 2019 22:49:25 +0000 (UTC) Received: from smtp.gentoo.org (mail.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 018E9E0ACE for ; Thu, 31 Jan 2019 22:49:24 +0000 (UTC) Received: from [192.168.1.100] (c-98-218-46-55.hsd1.md.comcast.net [98.218.46.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: mjo) by smtp.gentoo.org (Postfix) with ESMTPSA id 6D6CF335DB7 for ; Thu, 31 Jan 2019 22:49:23 +0000 (UTC) Subject: Re: [gentoo-project] pre-GLEP: Gentoo OpenPGP web of trust To: gentoo-project@lists.gentoo.org References: <1548943008.796.1.camel@gentoo.org> <337a117a-7b97-2000-f88e-2bd80cc15faa@gentoo.org> From: Michael Orlitzky Message-ID: Date: Thu, 31 Jan 2019 17:49:16 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.3.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Project discussion list X-BeenThere: gentoo-project@lists.gentoo.org Reply-To: gentoo-project@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Archives-Salt: cef20bd8-4e6f-480e-9ded-0534edb45d62 X-Archives-Hash: 8a6687336f389b8ad967b38762b95492 On 1/31/19 4:40 PM, Alec Warner wrote: > > So we have a website that lists all of our developers and their gpg-fps > already. I realize that mgorny will object that this is a 'nonstandard > tool' or somesuch, but I think from my POV its a pretty straightforward > tool. Obviously it requires trusting www.gentoo.org > and our CA (of which we do not run our own, so > it is letsencrypt, IIRC.) > The problem with the PKI is that even if LetsEncrypt is trustworthy, everyone else that you trust is not. If you're in whatever theocracy is in vogue for murdering its citizens this week, then you want to be sure that your government can't forge a certificate for www.gentoo.org (which says the "f" word a lot) on-the-fly. Of course, they all can. The list of trusted CAs in modern browsers is basically a "who's who" of the least trustworthy people on Earth. With the web of trust, I am at least trusting someone who is trusting someone who is trusting someone who is trusting someone that I've met in person. It's a bit of a moot point so long as we distribute Gentoo itself over a channel that's secured by the PKI, but the two aren't equivalent.