| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 6 Oct 2011 01:57:24 +0200 (CEST) From: Thomas Gleixner <tglx@...utronix.de> To: Adrian Bunk <bunk@...sta.de> cc: Ted Ts'o <tytso@....edu>, "Frank Ch. Eigler" <fche@...hat.com>, Valdis.Kletnieks@...edu, "H. Peter Anvin" <hpa@...or.com>, "Rafael J. Wysocki" <rjw@...k.pl>, Linux Kernel Mailing List <linux-kernel@...r.kernel.org>, Greg KH <gregkh@...e.de> Subject: Re: kernel.org status: establishing a PGP web of trust On Wed, 5 Oct 2011, Adrian Bunk wrote: > On Wed, Oct 05, 2011 at 01:06:16PM -0400, Ted Ts'o wrote: > > On Wed, Oct 05, 2011 at 10:54:39AM +0300, Adrian Bunk wrote: > > > > > > What policy is now used at kernel.org now is exactly the question > > > I asked in [1], and where I'm still waiting for an answer from hpa. > > > > > > Other organizations like Debian have a clear and public policy on > > > what is required for the user identification part for uploading to > > > the archive [2], and I expect the same for kernel.org. > > > > Peter has already said "are you prepared to swear in court". > > Government issued ID is one way (although any US high school student > > knows how easy it is to get fake ID); personal knowledge of someone's > > speach patterns plus common history generated by years of talking to > > that person at conferences and/or concalls, is another way. > > > > When I bootstrapped Linus's key, he and I talked on the phone, and I > > knew him well enough by our conversation my recognizing his speach > > patterns that I was prepared to certify his key even though I've never > > seen his government ID. That being said, I also know and trust Jim > > Zemlin well enough to know trust that the person employed by the Linux > > Foundation had his ID and right to work checked per US employment law, > > and and that the person I talked to was the same person who is > > employed by the Linux Foundation. Realistically, I'm far more sure of > > Linus's identity than I would be of some random Debian developer who > > got his key signed after some quick impromptu verification of what > > appeared to be a governement-issued ID at some conference. :-) > > That was not what I was talking about in the email you are answering to. > > Let me paraphrase my question: > "Whose signatures do I need on my key so that it will be accepted > at kernel.org?" Your understanding of key signing seems to be that some technical measure which makes the key valid is enough to enter a web of trust. Webs of trust cannot be built nor entered by any technical means. A web of trust is built by personal relationships and the key signing is just a technical measure to express that. I really do not care about your ID card, because it's a fact that people got keys signed by showing fake IDs. > With that information I can check if one email to a few local people to > have a local keysigning is enough. Whatfor? To regain your k.org account? Can you provide a single reason why that should happen? I can't think of one. You vanished away with a big bang and now you come back out of the blue and assume that you're a trusted person just by slapping a few signs on your key? > Or if I have to bother Linus to meet me and sign my key the next > time he is here in Helsinki. And how would that change the fact that your personal trust value in this community is exactly ZERO? As your idea of trust seems to be based on an ID card you better find some other place with people who are stupid enough to believe that technical measures can replace deep personal trust. Thanks, tglx -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists