Re: Secrecy and user trust

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Jeff Spaleta wrote:
> Ah there's the rub. You want him to sign it..but you don't want to
> ask him to sign it.  You want someone like me to order him to sign
> it.

Not at all.  I did not ever ask you to ask Jesse.  In fact, I did ask
him about it via IRC shortly after I sent my message.  We'll see what
he says if he notices the message and has a moment.  I'm not terribly
worried about it either way.

> Check that list of signatories again for the old key at pgp.mit.edu.
> Did Jesse ever sign the old key? If the answer was no... and you
> trusted that key before...did you really need Jesse to sign the new
> one to trust it now?

As I said in my previous message:

    And, just so it doesn't seem like I'm suggesting we require this
    as part of the new key release plan, I must say that I do find
    publishing the key's fingerprint at https://fedoraproject.org/keys
    to be enough for me to establish trust in it.  Adding a sig on the
    public key servers from Jesse (and/or other rel-eng folks with
    access to it) would simply be a nice bonus.

> Tell me the name of the one person everyone is going to trust when
> they sign the key.  Is everyone going to trust Jesse?  Really?
> Everyone?  If that were so, I think Jesse would have been the first
> suggestion....not livna.

1) I don't know where you get the idea that one person that everyone
trusts must sign the key for any signatures to be valid.  That's not
what the web of trust if about.

2) I never suggested Livna sign the key because I don't believe anyone
at Livna has close enough access to the new key to provide any decent
verification of the key.  In the case of a key that represents an
entity, the best place to start is with the individual(s) that have
access to the private key.

> How do you KNOW they didn't do any meaningful verification on it?
> How do you KNOW that anyone does meaningful verification on any key
> before they sign it?

IMO, the only people that can do meaningful verification of a key such
as the fedora signing key are those people that control the secret
key.  Anyone else is simply taking their word for it (or piling on
with an "this is the same key I got elsewhere" sort of "verification",
which means nothing to me).

> To trust any signature on any key you must make assumptions on the
> actions of others.

Right, and I use the past actions of those people as my guide.  When
someone signs a key that I know they could not have properly verified
(since it isn't a human and could not have shown them an sort of ID),
then I choose not to trust those people's signatures.

> What's even funnier is that you just admitted that the case of the
> Fedora signing key your assumptions concerning other people's
> actions decrease overall trust. Which is the exact opposite of what
> you want!

You lost me there Jeff.  I think you may be reading things into my
words that I have not intended.

If Jesse Keating or other rel-eng folks with access to the private key
sign the key, it holds some weight as they are the folks that can
properly verify the key.

> You want people to sign the key to increase trust..but you just
> stated that having lots of people sign the previous key..means you
> assume they didn't do it right and that you decrease trust in them
> instead of increasing trust in the key. MADNESS.

Not madness at all.  It's the basics of the OpenPGP trust model.
People that sign things without proper verification lose their
reputation as good signatories.

> You just admitted that the signing key is treated differently than a
> normal gpg key because its not attached to an identity. And that's
> sort of the point.  The web-of-trust concept does not equally apply
> to keys which are not strongly attached to a verifiable human
> identity.  The web-of-trust is illusionary for keys that are not
> strongly attached to human identities.

And the goal of having one of the humans that generated the key sign
it is to bring some level of the traditional web of trust back.

Again, with the key fingerprints being published on fedoraproject.org
and the keys available in public cvs, I think there are plenty of ways
to establish trust in the new keys.  If they get signed by Jesse,
that's one more way that some of us can use.  If they don't, I'm not
going to lose any sleep.

But no worry, I'm not asking you to do anything, so relax and have a
home brew. :)

-- 
Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If age imparted wisdom, there wouldn't be any old fools.
    -- Claudia Young

Attachment: pgpIb8JzwhKf6.pgp
Description: PGP signature

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux