Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Debian Development (http://www.linux-archive.org/debian-development/)
-   -   A request for those attending key signing parties (http://www.linux-archive.org/debian-development/483525-request-those-attending-key-signing-parties.html)

"Theodore Ts'o" 01-31-2011 05:49 PM

A request for those attending key signing parties
 
At the most recent Linux.conf.au pgp keysigning, I noticed a number of
Debian developers present. Like me, they had new keys that they offered
up for signing, presumably so they could start replacing their 1024DSA
keys with stronger keys.

If you are signing keys where you've verified the identity of fellow
Debian developers at a key signing party, please do us all a favor and
don't just sign it with your brand-new key --- but *also* sign the DD's
key with whatever key you you currently have currently in the Debian
keyring.

Otherwise, you could end up with a situation where a whole group of DD's
have each other's keys certified, but only signed with their new keys
--- which isn't useful when they are submitting their keys to the Debian
keyring maintainer for inclusion.

What I did was I signed the keys that I verified with *both* my new key
and the key I currently have in the Debian keyring. However, to date,
although I've received key signatures from multiple people whom I know
to be Debian developers, my new key is only signed by one key which is
currently in the debian keyring. (Thanks to Brendan O'Dea!) At the
moment my new 4096 bit RSA key is waiting until I get more signatures,
or some of the new DDs' keys that have signed my key get accepted into
the Debian keyring.

- Ted


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: E1PjyoY-0003xV-OQ@tytso-glaptop">http://lists.debian.org/E1PjyoY-0003xV-OQ@tytso-glaptop

Stefano Zacchiroli 01-31-2011 06:06 PM

A request for those attending key signing parties
 
On Mon, Jan 31, 2011 at 01:49:26PM -0500, Theodore Ts'o wrote:
> If you are signing keys where you've verified the identity of fellow
> Debian developers at a key signing party, please do us all a favor and
> don't just sign it with your brand-new key --- but *also* sign the DD's
> key with whatever key you you currently have currently in the Debian
> keyring.

As I've been recently hit by this gotcha and as a memo for others, note
that if you are using caff, the following is *not* enough to fulfill the
above requirement:

zack@usha:~$ grep keyid .caffrc
$CONFIG{'keyid'} = [ qw{D5CA9B04F2C423BC 9C31503C6D866396} ];

you also need something like:

zack@usha:~$ grep keyid .caffrc
$CONFIG{'local-user'} = [ qw{D5CA9B04F2C423BC 9C31503C6D866396} ];

... or you need to remember passing "-u $KEYID,$OLDKEYID" to caff (yes,
I've defined the two environment variable for the transition period and
they come pretty handy).

Cheers


PS too bad LCA's signing party was at the same time of Tridge's talk :-(

--
Stefano Zacchiroli -o- PhD in Computer Science PostDoc @ Univ. Paris 7
zack@{upsilon.cc,pps.jussieu.fr,debian.org} -<>- http://upsilon.cc/zack/
Quando anche i santi ti voltano le spalle, | . |. I've fans everywhere
ti resta John Fante -- V. Capossela .......| ..: |.......... -- C. Adams

Martin Zobel-Helas 01-31-2011 07:18 PM

A request for those attending key signing parties
 
Hi,

a more theoretical question quite related to this:

If one plans to have the key replaced in the keyring, and we have a
fellow DD in the keyring who's only trust path to other Debian
Developers goes via that key (this might become a real scenario when we
do a bigger round of key replacements) will that key replacement really
happen? Thus CCing keyring maintainers.

Cheers,
Martin
--
Martin Zobel-Helas <zobel@debian.org> | Debian System Administrator
Debian & GNU/Linux Developer | Debian Listmaster
Public key http://zobel.ftbfs.de/5d64f870.asc - KeyID: 5D64 F870
GPG Fingerprint: 5DB3 1301 375A A50F 07E7 302F 493E FB8E 5D64 F870


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110131201818.GK13497@ftbfs.de">http://lists.debian.org/20110131201818.GK13497@ftbfs.de

"Thijs Kinkhorst" 02-01-2011 08:06 AM

A request for those attending key signing parties
 
On Mon, January 31, 2011 21:18, Martin Zobel-Helas wrote:
> a more theoretical question quite related to this:
>
> If one plans to have the key replaced in the keyring, and we have a
> fellow DD in the keyring who's only trust path to other Debian
> Developers goes via that key (this might become a real scenario when we
> do a bigger round of key replacements) will that key replacement really
> happen? Thus CCing keyring maintainers.

(I'm not a keyring maintainer.)

Currently connectedness has only been used to decide on entry into the
keyring. In a similar scenario, if you are signed by just one DD and that
DD retires from Debian, you are not removed from the keyring, even though
you're no longer connected to other DD's by trust paths. And that is not a
problem, because the process is used to establish identity. Your identity
has been established upon entry, and this fact is not lost when
connectedness of your key is reduced. Thus it's not essential to keep the
keys internally connected.


Cheers,
Thijs


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 906938246402b2893e33b381b2fe3747.squirrel@wm.kinkh orst.nl">http://lists.debian.org/906938246402b2893e33b381b2fe3747.squirrel@wm.kinkh orst.nl

Jonathan McDowell 02-01-2011 04:36 PM

A request for those attending key signing parties
 
On Mon, Jan 31, 2011 at 09:18:18PM +0100, Martin Zobel-Helas wrote:
> a more theoretical question quite related to this:
>
> If one plans to have the key replaced in the keyring, and we have a
> fellow DD in the keyring who's only trust path to other Debian
> Developers goes via that key (this might become a real scenario when we
> do a bigger round of key replacements) will that key replacement really
> happen? Thus CCing keyring maintainers.

I've had a few conversations with developers who are known to be the
single path to many DDs about holding off on their key replacements, and
been keeping an eye in general on our connectedness over time. In some
occasions we have pushed back on developers who want to replace their
keys with a minimal number of signatures when their old keys are well
integrated.

Overall the connectedness seems to have stayed about level; in January
2009 we had 89.6% of the keys is in the reachable subset and 84.0% in
the strong subset. By the end of 2010 these numbers had increased to
91.1%/85.2%. Yes, some of that is because we've removed inactive keys,
but I think it's an indicator that (so far) the key replacements have
not been weakening our web of trust.

J.

--
Web [ If I hold really still maybe all of this will just go away. ]
site: http:// [ ] Made by
www.earth.li/~noodles/ [ ] HuggieTag 0.0.24


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110201173635.GC30815@earth.li">http://lists.debian.org/20110201173635.GC30815@earth.li

Gunnar Wolf 02-01-2011 05:34 PM

A request for those attending key signing parties
 
Martin Zobel-Helas dijo [Mon, Jan 31, 2011 at 09:18:18PM +0100]:
> a more theoretical question quite related to this:
>
> If one plans to have the key replaced in the keyring, and we have a
> fellow DD in the keyring who's only trust path to other Debian
> Developers goes via that key (this might become a real scenario when we
> do a bigger round of key replacements) will that key replacement really
> happen? Thus CCing keyring maintainers.

<hat kind="keyring>
We have requested some people to hold their keys' transition in cases
where the older key had a vast amount of signatures and the new key
didn't. True, we do not check for every key update whether we are
creating islands, and we possibly are - And that's one of the reasons
we often encourage people to get more signatures (i.e. one signature
is too marginal, two or more are strongly encouraged). Of course, it
is not free of controversies - I am not naming specific cases on
public lists, but some people have been cut off from getting a key in
(after having lost access or trust to their previous keys) as they
were in no way connected to the keyring. And that sucks.

Still, I'd welcome additions to our suite telling us any adverse
effects (mainly, the creation of islands) done by a key replacement. I
fear it will be computationally intensive... But worth it. Of course,
assuming we will _not_ block somebody because they fell out of the WoT
(as their identity has already been checked in the past), but just
advising them to get more in contact.
</hat>

Greetings,


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110201183448.GF24832@gwolf.org">http://lists.debian.org/20110201183448.GF24832@gwolf.org


All times are GMT. The time now is 11:11 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.