Subject: Re: adding gpg to src/gnu/dist
To: None <tech-security@NetBSD.org, tech-userlevel@NetBSD.org>
From: Marc Tooley <netbsdMLpostNO@SPAM.quake.ca>
List: tech-security
Date: 05/17/2004 13:09:58
On Monday 17 May 2004 11:13, Love wrote:
> Marc Tooley <netbsdMLpostNO@SPAM.quake.ca> writes:
> > Am I missing something here? Is this a political decision and I'm
> > just mistaking it for a technical one?
>
> I tried to make you (and other pgp people) answer some question I
> have about pgp.
>
> Message-ID: <amekpndyej.fsf@nutcracker.stacken.kth.se>
> Message-ID: <amvfiyje74.fsf@nutcracker.stacken.kth.se>
I missed these. Sorry.
> 1. How does you solve the problem searching from the trust anchor too
> the signer ? Basicly, why should the user be required to fetch key
> from the keyserver, and if the user needs to fetch key from the
> keyserver, how is the user going to find the keys to fetch to verify
> a signature ?
Beats me. I'm not even sure I understand your question. It's a
transitive closure problem; however, any web of trust I rely on is
going to be only one or (at most) two levels deep anyway. It's a
question of triangulation and reassurance for someone like me.
> 2. How do you rewoke a certifiate, ie revoke what you do in gpg
> speak: "gpg --edit-key 0xHH\nsign\n...."
gpg --gen-revoke ? Or, if you mean a signature, p4 --edit-key blah, then
"revsig", generate a cert and then distribute the cert. Or do you want
it to be automated? If it requires a password to unlock your secret
key, then automation maybe isn't such a good idea.
> 3. pgp provides identity, not what the key is supposed to do. sure,
> the sigature is supposed be just that, but pushing out policy from
> the CA with certifiates are quite useful.
>
> "all certs with code-signing oid is approved by netbsd
> core/foundation/developers/whatever to be signer of binary pkgs,
> you already trust netbsd ... by using our software"
>
> The question is, how do you intent to distribute policy ?
If a security bulletin is signed by a key marked "System Distribution"
then it clearly says, "This is signed by known key 0x12134, System
Distribution Manager" I think users would notice.
> 4. How is certifiates time limited, "Al is releng for a year now"
GPG keys have a lifetime on them, you can expire them in X days no
problem.
> 5. Code quality should not be used as argument when comparing gpg and
> openssl, neither of them is pretty inside.
The implication was, earlier in the thread, that GPG has a "messier"
user interface when I don't think that is true.
> 6. I have the code written, including code for policy, where is yours
> ? You can handwave as much as you want, but unless there is working
> code, its all handwaving, and I don't thin handwaving should stop us
> from getting signed packages.
I've already said I have no code. In fact, I very specifically stated,
"Just my opinion. No code flows from me so of course opinion it'll
stay, but there it is." Nice term, that.. hand waving I mean. Thanks.
> 7. If you like pgp so much, why don't you use it to sign your mails ?
Because we're having an unimportant discussion, there's no way for you
to verify my key, you wouldn't expend the effort to verify my key
anyway, the open-crypto plugin doesn't work on NetBSD's pkgsrc'd kmail,
and I'm not a rabid cipherpunk?
(I'm aware that the normal GPG plugin works fine.)