Secrecy and user trust

Jeff Spaleta jspaleta at gmail.com
Thu Sep 4 23:22:23 UTC 2008 

On Thu, Sep 4, 2008 at 1:59 PM, Todd Denniston
<Todd.Denniston at ssa.crane.navy.mil> wrote:
> Although rpm may not have the ability to use keys with signatures in them,
> this does NOT make it a non-starter.

It's going to impact in what fashion we distribute the key.  if we
can'd distribute the signed key and have it import as expected...then
there's no point in attempting to distribute a signed key.  Do all
this 3rd party signing stuff on a public key server.

>
> PGP|GPG can generate DETACHED signatures[1], which can be used with the
> public key file out side of rpm's band to verify the new key.

what is stopping any 3rd party from generating detached signatures
right now? What was stopping them from doing it on the last key? If
you or I or livna or anyone else wanted to create a detached signature
on the Fedora key..we could have..and we'd still be we are right now
dealing with how to distribute a new key.  The extra signatures do not
materially help because we do not have a technical mechanism to make
use of those signatures as part of the client side package management
operations. Look at the existing Fedora key as it sits on the
pgp.mit.edu key server. People have signed it there. We have no way to
make use of that information client side. But you can... anyone can...
just as anyone can push a new signature against that existing key.

Nor do we have a special mechanism which lets 3rd parties verify the
key's validity that individual end-users do not have.  And this last
one is key.  Having livna, or myself, or you.. sign a key that was
transmitted electronically to us doesn't do squat in terms of
increasing its trustability.  if anything it distorts the web of trust
because we've signed something we can't tangible verify.

Distributing the detached signatures as part of the fedora-release
package with a bare  importable key..when we aren't making use of
those detached signatures as part of the packaging process..at
all...seems...futile to me.  We don't have a mechanism which enforces
the existence of signatures on the keys in the rpm keyring.  There is
no trust metric exposed by which you can rank the trustability of a
particular key when using it.  If you want 3rd parties to sign the
Fedora packaging signing key... talk to the 3rd parties about signing
the new key as soon as its made available and placing those detached
signatures on sites they control or a public key server so you can
verify the detached signatures when Fedora releases the bare key with
3rd parties you personally trust.

If you want to be security paranoid concerning the validity of the new
key when it becomes available.. go right ahead.. be paranoid about it.
 But if you need 3rd parties to sign off on the key before you use it,
then you should already have been talking to 3rd parties about doing
it for the last Fedora key. Talk to the 3rd parties.. get them to
agree to sign the new key and put the detached signatures somewhere
public.

If you can convince them to actually sign the key, since they have the
exact same problem that you have.. they have to be transmitted the key
in order for them to sign it. So they have to trust the transmission
of the key... just as you do.  There is a basic logic fallacy here,
some 3rd party has to initially trust the key.  If you personally
aren't going to be that 3rd party...then why would you expect another
3rd party to be the first?  If you are going to be paranoid about
verifying the transmission of the new key to yourself... then you have
to be equally paranoid about how the signatories of that key were
transmitted the key before they signed it.

GPG keysigning events typically involve face-to-face meetings with
some form of official documentation (drivers licenses AND passports
typically) which people agree to trust. Those identification documents
are crucial elements of GPG signing events...  they form a baseline
expectation that you are who you say you are.  You can't do that sort
of thing with the fedora signing key. You can't meet face-to-face to
verify its identity, you can't get government issued ID which form the
baseline for trust (assuming the ID is of course not falsified).

At best we could maybe get the release engineering people who have
direct access to the key to create detached signatures, because they
perhaps the only people who do not have to be transmitted the key in
order to sign it.  But now you are left with the problem of trusting
their personal keys. Are those people in your web of trust? Are you
going to meet face to face with them and exchange key signatures?  If
rpm's key management doesn't handle signed keys..how do you know to
trust their keys which signed the signature.

And on and on....all of it outside of the band of rpm.  We don't have
a compelling reason to distribute those detached signatures as part of
the fedora-release package which will contain the key.  We don't have
a way to make use of them, and if you have to go out of band to verify
the key...then go out of band. All including them will do will slow
down the process of getting the new key out to anyone as we wait for
3rd parties to sign the key and had the signatures back to us to
distribute.  What's stopping anyone from doing all of this 3rd party
signing part of public key server operations?  Someone publishes the
Fedora signing key to a key server, 3rd parties pull the key and sign
it and push the signatures back up to the key server. You then take
the time out of band to check that key server for signatures.

In fact none of this has to be steps that Fedora as a project has to
take. Since you can't verify that Fedora sent the key to the
keyserver,  Once I get the key transmitted to me electronically I
could upload to a public server.. so could you.  I could sign it....so
could you...so could anyone.  But none of those action impart any
additional trust all that says is that we all received the same key.
Is that really worthwhile information?  If you think it is then I
suggest you organize a campaign to have everyone create a detached
signature for the new key when it becomes available and submit it to
one of the pgp keyservers.  That sort of organized activity might not
add any real trust metric to the key..but it would be an interested
head count of how many people actually have gpg keys out there in
Fedoraland.

You can take a look at the existing Fedora Project key at
pgp.mit.edu's search. It's been signed by 3rd parties. So some
individuals have signed the key. Do you trust them?


-jef"I should go ahead and sign the old key now, just because it
doesn't matter"spaleta

More information about the fedora-list mailing list