Re: Secrecy and user trust

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Jeff, please excuse me if I'm taking too much out of context from your
mail.

Jeff Spaleta wrote:
> GPG keysigning events typically involve face-to-face meetings with
> some form of official documentation (drivers licenses AND passports
> typically) which people agree to trust. Those identification documents
> are crucial elements of GPG signing events...  they form a baseline
> expectation that you are who you say you are.  You can't do that sort
> of thing with the fedora signing key. You can't meet face-to-face to
> verify its identity, you can't get government issued ID which form the
> baseline for trust (assuming the ID is of course not falsified).

It is quite true that the Fedora key cannot be verified by most of us
in the same way that we could verify the key of an individual.  But...

> At best we could maybe get the release engineering people who have
> direct access to the key to create detached signatures, because they
> perhaps the only people who do not have to be transmitted the key in
> order to sign it.

This would be excellent.  (Though I would hate to ask Jesse to do any
more work at this time. :)

> But now you are left with the problem of trusting their personal
> keys. Are those people in your web of trust?

Yes.  From FUDCon Raleigh, I'm a hop away from Jesse's key, as it is
signed by Matt Domsch, whom I traded signatures with.  That wasn't
very hard, and I don't even consider myself to be all that well
connected. :)

> Are you going to meet face to face with them and exchange key
> signatures?

Where possible, definitely.  It's a nice excuse to meet some new
people and chat a little about geekery.

> If rpm's key management doesn't handle signed keys..how do you know
> to trust their keys which signed the signature.

Very simple: by using gpg to look at the signatures on a key before
importing it.  This is precisely how https://fedoraproject.org/keys
explains how to verify a key.

> And on and on....all of it outside of the band of rpm.

And that's perfectly fine.  Yes, it means that it isn't the sole
method that all users will use to establish trust in the new keys, but
it also isn't a method that takes much time at all (I refer only to
having Jesse and other rel-eng folks that were involved in generating
the key signing it, not having some other repository's key sign it).

> You can take a look at the existing Fedora Project key at
> pgp.mit.edu's search. It's been signed by 3rd parties. So some
> individuals have signed the key. Do you trust them?

Most of them, no.  In fact, those that have signed this key are folks
whose signatures now hold less weight with me since they were willing
to sign a key that they could not possibly have done much meaningful
verification on.

> -jef"I should go ahead and sign the old key now, just because it
> doesn't matter"spaleta

Hopefully you understand gpg a little better than that and know that
signing a key you can't have verified just devalues the weight of your
signatures. ;)

And, just so it doesn't seem like I'm suggesting we require this as
part of the new key release plan, I must say that I do find publishing
the key's fingerprint at https://fedoraproject.org/keys to be enough
for me to establish trust in it.  Adding a sig on the public key
servers from Jesse (and/or other rel-eng folks with access to it)
would simply be a nice bonus.

-- 
Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I expected times like this -- but never thought they'd be so bad, so
long, and so frequent.
    -- Demotivators (www.despair.com)

Attachment: pgp5y4kIxTHFe.pgp
Description: PGP signature

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux