Bruno Haible via Gnulib discussion list <bug-gnulib@gnu.org> writes: > Simon Josefsson wrote: >> > I see. Indeed, if many developers would share their PGP key through >> > Savannah, the GNU keyring, GitHub, GitLab, their own home page, etc., it >> > would become harder for an attacker to introduce a spoofed one in all of >> > these >> > places. OTOH, since these are not regular but ad-hoc distribution patterns, >> > it's hard to build a tool that fulfils the job of "given the name and >> > email address of a developer, give me their PGP key and a trust >> > estimation". >> >> ... The social world rely on many different minor trust >> mechanism, each of them fallable, that overall build up trust. I don't >> think we can solve this technically. > > Maybe not "solve" technically, but at least help technically? > Hunting down a developer's PGP key from various places is something that > would cost me 30 minutes when done by hand. I'm willing to spend this time > when looking for an employer with a remote-working job offer. But I would > not spend this time on the signer of a random software package before I'm > going to install that on my system. > > So, I think that an automated tool that collects the available PGP keys > from various locations (from Savannah to the home page) would be a game > changer, when it comes to replace the "web of trust" that was previously > based on keysigning parties.
Significant efforts have been made on these, see all PGP keyserver projects out there, and some other efforts like keybase.io, but for various reasons none managed to scale well. I think dealing with key polusion and DoS is the biggest problems. Some interesting links: https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f https://debconf24.debconf.org/talks/39-protecting-openpgp-keyservers-from-certificate-flooding/ >> Yes, I think this is where technology meet the social world: trust >> cannot be fully automated, or it becomes a central point of failure and >> attracts abuse. > > I don't understand this sentence. When it comes to the tool described > above, how would it "become a central point of failure and attract abuse"? We used to have a working PGP keyserver network, but they were attacked and most shut down. It seems that if some mechanism to distribute keys in a strong way establishes itself, it attracts abuse. Designing a proper mechanism is apparently not a simple problem, or it would have existed. Nowadays I think state-of-the-art key distribution and signature verification include a blockchain element today, like these projects: https://docs.sigstore.dev/ https://www.sigsum.org/ Alas the tools for them are not that usable for most people, but I think these two projects have some chance to move the needle and improve things were PGP have reached its limits. >> Unfortunately Git signatures have that >> property: it is really messy to use PGP and X509 and SSH signatures on >> git tags in the same project. This is a git wart: there is no reason a >> git tag couldn't have both a PGP and S/MIME and a SSH signature on it. >> I'm signing all of my git commits and tags with PGP, but if we would >> enforce that, we are stuck with git's limits on this. > > That's not the only problem of Git commit signatures. The other, major > problem is that is prevents commits from anonymous committers. While, in > general, we dislike anonymity because we equate it with irresponsible > behaviour, in some cultures anonymity is the only way of doing things > freely, without the risk of imprisonment and torture. This is the case > today in countries with an authoritarian government (such an Iran and > Türkiye); but it was already the case in some places 2500 years ago [1][2]. > > Also, remember that even Jia Tan (from xz fame) had a PGP key [3]; so, > enforcing a PGP key does not help in the face of state-based evil actors. Right. For xz-style attacks, I don't think we have any good technical protection mechanisms at all beyond auditing published source code and relating that to what your machine is executing. /Simon > Bruno > > [1] The Bible: Book Esther, chapter 2, verses 10 and 20. > [2] The Bible: Book Jeremiah, chapter 36, verse 26. > [3] > https://www.reddit.com/r/archlinux/comments/1byfwy3/found_jia_tan_of_xz_package_backdoor_gpg_key_in/ > > > > >
signature.asc
Description: PGP signature
