On Thu, Sep 4, 2008 at 1:59 PM, Todd Denniston <Todd.Denniston@xxxxxxxxxxxxxxxxxx> wrote: > Although rpm may not have the ability to use keys with signatures in them, > this does NOT make it a non-starter. It's going to impact in what fashion we distribute the key. if we can'd distribute the signed key and have it import as expected...then there's no point in attempting to distribute a signed key. Do all this 3rd party signing stuff on a public key server. > > PGP|GPG can generate DETACHED signatures[1], which can be used with the > public key file out side of rpm's band to verify the new key. what is stopping any 3rd party from generating detached signatures right now? What was stopping them from doing it on the last key? If you or I or livna or anyone else wanted to create a detached signature on the Fedora key..we could have..and we'd still be we are right now dealing with how to distribute a new key. The extra signatures do not materially help because we do not have a technical mechanism to make use of those signatures as part of the client side package management operations. Look at the existing Fedora key as it sits on the pgp.mit.edu key server. People have signed it there. We have no way to make use of that information client side. But you can... anyone can... just as anyone can push a new signature against that existing key. Nor do we have a special mechanism which lets 3rd parties verify the key's validity that individual end-users do not have. And this last one is key. Having livna, or myself, or you.. sign a key that was transmitted electronically to us doesn't do squat in terms of increasing its trustability. if anything it distorts the web of trust because we've signed something we can't tangible verify. Distributing the detached signatures as part of the fedora-release package with a bare importable key..when we aren't making use of those detached signatures as part of the packaging process..at all...seems...futile to me. We don't have a mechanism which enforces the existence of signatures on the keys in the rpm keyring. There is no trust metric exposed by which you can rank the trustability of a particular key when using it. If you want 3rd parties to sign the Fedora packaging signing key... talk to the 3rd parties about signing the new key as soon as its made available and placing those detached signatures on sites they control or a public key server so you can verify the detached signatures when Fedora releases the bare key with 3rd parties you personally trust. If you want to be security paranoid concerning the validity of the new key when it becomes available.. go right ahead.. be paranoid about it. But if you need 3rd parties to sign off on the key before you use it, then you should already have been talking to 3rd parties about doing it for the last Fedora key. Talk to the 3rd parties.. get them to agree to sign the new key and put the detached signatures somewhere public. If you can convince them to actually sign the key, since they have the exact same problem that you have.. they have to be transmitted the key in order for them to sign it. So they have to trust the transmission of the key... just as you do. There is a basic logic fallacy here, some 3rd party has to initially trust the key. If you personally aren't going to be that 3rd party...then why would you expect another 3rd party to be the first? If you are going to be paranoid about verifying the transmission of the new key to yourself... then you have to be equally paranoid about how the signatories of that key were transmitted the key before they signed it. GPG keysigning events typically involve face-to-face meetings with some form of official documentation (drivers licenses AND passports typically) which people agree to trust. Those identification documents are crucial elements of GPG signing events... they form a baseline expectation that you are who you say you are. You can't do that sort of thing with the fedora signing key. You can't meet face-to-face to verify its identity, you can't get government issued ID which form the baseline for trust (assuming the ID is of course not falsified). At best we could maybe get the release engineering people who have direct access to the key to create detached signatures, because they perhaps the only people who do not have to be transmitted the key in order to sign it. But now you are left with the problem of trusting their personal keys. Are those people in your web of trust? Are you going to meet face to face with them and exchange key signatures? If rpm's key management doesn't handle signed keys..how do you know to trust their keys which signed the signature. And on and on....all of it outside of the band of rpm. We don't have a compelling reason to distribute those detached signatures as part of the fedora-release package which will contain the key. We don't have a way to make use of them, and if you have to go out of band to verify the key...then go out of band. All including them will do will slow down the process of getting the new key out to anyone as we wait for 3rd parties to sign the key and had the signatures back to us to distribute. What's stopping anyone from doing all of this 3rd party signing part of public key server operations? Someone publishes the Fedora signing key to a key server, 3rd parties pull the key and sign it and push the signatures back up to the key server. You then take the time out of band to check that key server for signatures. In fact none of this has to be steps that Fedora as a project has to take. Since you can't verify that Fedora sent the key to the keyserver, Once I get the key transmitted to me electronically I could upload to a public server.. so could you. I could sign it....so could you...so could anyone. But none of those action impart any additional trust all that says is that we all received the same key. Is that really worthwhile information? If you think it is then I suggest you organize a campaign to have everyone create a detached signature for the new key when it becomes available and submit it to one of the pgp keyservers. That sort of organized activity might not add any real trust metric to the key..but it would be an interested head count of how many people actually have gpg keys out there in Fedoraland. You can take a look at the existing Fedora Project key at pgp.mit.edu's search. It's been signed by 3rd parties. So some individuals have signed the key. Do you trust them? -jef"I should go ahead and sign the old key now, just because it doesn't matter"spaleta -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
