incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marvin Humphrey <mar...@rectangular.com>
Subject Re: key signing
Date Tue, 09 Oct 2012 22:01:46 GMT
On Mon, Oct 8, 2012 at 2:24 PM, Noah Slater <nslater@tumbolia.org> wrote:
>> 1. The key owner convinces the signer that the identity in the UID is
>> indeed their own identity by whatever evidence the signer is willing to
>> accept as convincing. Usually this means the key owner must present a
>> government issued ID with a picture and information that match up with the
>> key owner. (Some signers know that government issued ID's are easily forged
>> and that the trustability of the issuing authorities is often suspect and
>> so they may require additional and/or alternative evidence of identity).
>
>> 2. The key owner verifies that the fingerprint and the length of the key
>> about to be signed is indeed their own.
>
> How would you do this via Skype?

Here's a rough draft for a protocol:

Several podling committers convene in a Google Plus Hangout with "Hangouts On
Air" enabled (so that the video gets archived to YouTube).

Everyone states their name and what they had for lunch, then reads their
public key fingerprint aloud.  The lunch items are combined into a key phrase.
Participants then commit to a text file under ASF version control,
contributing a few lines containing their name, their public key fingerprint
and the key phrase -- linking together face and voice, public key fingerprint,
ASF credentials and by extension, an iCLA.

Optionally, the project is then discussed by the participants for some
arbitrary length of time; the discussion of shared experience adds another
layer of confidence that participants are who they say they are.

Physical IDs are *not* shown during this session because the video is to be
archived in a public location, but participants are encouraged to request such
ids via private channels later.

After the session ends, the archival video link is submitted to the podling's
dev list, giving people the opportunity to initiate contact via email, phone
or other channels with the committers in question -- or better yet their
associates and colleagues, pointing to the video link and requesting
confirmation of identity.

Once a potential key-signer believes that a high degree of certainty has been
established for a given candidate (it may make sense to codify some "best
practice" guidelines), they sign the key and report to the dev list,
documenting both what key was signed and what criteria they used when deciding
to sign.

...

While this protocol does not rely heavily on validating government-issued IDs,
the Debian guidelines quoted above point out that some people object to giving
such IDs too much creedence:

    (Some signers know that government issued ID's are easily forged and that
    the trustability of the issuing authorities is often suspect and so they
    may require additional and/or alternative evidence of identity).

Instead, it relies on a layered approach a la multi-factor authentication.

> If we don't take this seriously, how can we expect other people to take our
> keys seriously?

Since the Incubator PMC consistently approves releases signed by keys which
are not connected to the web of trust, apparently we don't take the web of
trust very "seriously" right now.  ;)

But "seriously"...

I interpret "take this seriously" to mean that before signing the key, it is
important to...

1.  Establish the identity of the key owner to a high degree of certainty.
2.  Establish the link between the key and the key owner to a high degree of
    certainty.

The point is that the degree of certainty is independent of the means used to
obtain that certainty -- and the GnuPG docs say as much.  Face-to-face
interaction is one good technique, but in my opiniion, the categorical
dismissal of all other techniques hinders participation in the web of trust,
thereby thinning our defense in depth against credential spoofing.

Marvin Humphrey

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message