Re: [Debconf-discuss] using OpenPGP notations to indicate keysigning practices [was: Re: GPG keysigning?]
On Wed, Jun 24, 2009 at 09:30:52AM +0800, Paul Wise wrote: Would subkeys help in this scenario? (hint hint, some good docs about real-world subkey usage are needed). Subkeys cannot (to my knowledge) be used for certification (i.e. key signing). At least not with stock gnupg. Kind regards, Philipp Kern -- .''`. Philipp KernDebian Developer : :' : http://philkern.de Stable Release Manager `. `' xmpp:p...@0x539.de Wanna-Build Admin `-finger pkern/k...@db.debian.org signature.asc Description: Digital signature
Re: [Debconf-discuss] using OpenPGP notations to indicate keysigning practices [was: Re: GPG keysigning?]
In article 20090624003554.gf9...@kunpuu.plessy.org you wrote: that would be very welcome. This whole discussion confuses me and I do not understand if Debian as a project accepts signatures that are not based on a passport or an ID card. For instance, I have used drivers licenses or social security cards as well, is that acceptable ? Debian has no way (yet) to tell them apart. In the past debian just relied on some trust, just to make sure that a submitted key was not intercepted. Additional requirements (up to avoiding deniability) have been added later on (and I think never made official policy?). There are existing key signatures older than any official debian satement between developer keys so, all of them would have to be redone to be fully trusted (and annotated). Anyway, I would suggest not to get into the Business of setting up a PKI Hierachy and having a RA who can gurantee gov. idendity world wide. But if you still want to, you can find some information on ID checking and policy in the CAcert assurer handbook. CAcert is currently improving all kinds of details in this area (in order to get Audited for Inclusion in Mozilla Truststores) http://wiki.cacert.org/wiki/AssuranceHandbook2 http://wiki.cacert.org/wiki/AcceptableDocuments Note that Assurance for CAcert does not validate the email, since this is not always practicable in face to face meetings (and has all kinds of problems like company accounts which get revoked). The CAcert account can be linked to a email address (and currently they are not rechecked). CAcert can sign PGP keys for assured members. Greetings Bernd -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: [Debconf-discuss] using OpenPGP notations to indicate keysigning practices [was: Re: GPG keysigning?]
On Tue, Jun 23, 2009 at 08:52:20PM +0200, martin f krafft wrote: Additional metadata, e.g. number and expiration date would be helpful. Actually that'd be illegal in Germany -- ID numbers of identification documents may not be stored in databases, with exactly two exceptions: - the issuing office can map (name, address, date of birth) - number for inclusion in - the list of stolen documents, kept by the police (this list has no names) Simon -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: [Debconf-discuss] using OpenPGP notations to indicate keysigning practices [was: Re: GPG keysigning?]
also sprach Daniel Kahn Gillmor d...@fifthhorseman.net [2009.06.23.1949 +0200]: -- govt-iss...@wot.debian.org might be a distinguished name identifying the apparent issuer of any validated identification, such as /C=US/ST=NY/ for a NY State (USA) driver's license and /C=US/ for an American passport. If you checked two IDs, you could include this notation twice. Maybe this should somehow include the type of document as well? Additional metadata, e.g. number and expiration date would be helpful. On the other hand, just some clear guidelines that participants HAVE TO abide by, would help, e.g. a commitment to a signing policy for all keys that are to appear in a Debian keyring. I will always challenge the government-issued ID due to the vastly differing standards across the globe, but travel document is actually a term that someone uttered earlier, which raises the bar a lot higher. Cheers, -- .''`. martin f. krafft madd...@debconf.org : :' : DebConf orga team; press officer `. `'` `- DebConf9: 24-30 Jul 2009, Extremadura, ES: http://debconf9.debconf.org i believe that the moment is near when by a procedure of active paranoiac thought, it will be possible to systematise confusion and contribute to the total discrediting of the world of reality. -- salvador dali digital_signature_gpg.asc Description: Digital signature (see http://martin-krafft.net/gpg/)
Re: [Debconf-discuss] using OpenPGP notations to indicate keysigning practices [was: Re: GPG keysigning?]
On 06/23/2009 02:52 PM, martin f krafft wrote: Additional metadata, e.g. number and expiration date would be helpful. This would certainly be useful from the smiting perspective, but might raise privacy concerns if people don't want their passport number (or whatever) bound to their OpenPGP keys, or even distributed within the debian project. On the other hand, just some clear guidelines that participants HAVE TO abide by, would help, e.g. a commitment to a signing policy for all keys that are to appear in a Debian keyring. I think that misses a critical point; i want to use my OpenPGP key for a variety of purposes both in and out of debian. I consider it a baseline tool for managing my digital identity. While i'm happy to obey debian-specific guidelines for debian-specific purposes, i have no intention of obeying debian-specific guidelines for projects outside of debian, except perhaps by coincidence. I'm *not* saying that i will sign keys blindly or anything, but there are scenarios and groups i interact with where it is meaningful and/or useful to sign a role key, a machine key, or a pseudonymous key, for example. If debian makes up some debian-specific guidelines that say you must not sign pseudonymous keys, i cannot follow those instructions without changing my key (or having a debian-specific key unrelated to my non-debian identity, which seems to defeat the whole point of the binding). On the other hand, if debian says we're only going to accept certifications with certain well-defined values for the following attributes for certain purposes within the project, then i can continue to use my key, and make sure that i follow appropriate guidelines for certifications that *are* critical to debian. I will always challenge the government-issued ID due to the vastly differing standards across the globe, but travel document is actually a term that someone uttered earlier, which raises the bar a lot higher. Agreed, though it would be no fun for a DD (or potential DD) who can't convince her own government to issue her a travel document. do we want to exclude those people from debian? --dkg signature.asc Description: OpenPGP digital signature
Re: [Debconf-discuss] using OpenPGP notations to indicate keysigning practices [was: Re: GPG keysigning?]
Le Tue, Jun 23, 2009 at 08:52:20PM +0200, martin f krafft a écrit : On the other hand, just some clear guidelines that participants HAVE TO abide by, would help, e.g. a commitment to a signing policy for all keys that are to appear in a Debian keyring. Hi Martin, that would be very welcome. This whole discussion confuses me and I do not understand if Debian as a project accepts signatures that are not based on a passport or an ID card. For instance, I have used drivers licenses or social security cards as well, is that acceptable ? Have a nice day, -- Charles Plessy Tsurumi, Kanagawa, Japan -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: [Debconf-discuss] using OpenPGP notations to indicate keysigning practices [was: Re: GPG keysigning?]
On Wed, Jun 24, 2009 at 3:14 AM, Daniel Kahn Gillmord...@fifthhorseman.net wrote: I think that misses a critical point; i want to use my OpenPGP key for a variety of purposes both in and out of debian. I consider it a baseline tool for managing my digital identity. While i'm happy to obey debian-specific guidelines for debian-specific purposes, i have no intention of obeying debian-specific guidelines for projects outside of debian, except perhaps by coincidence. I'm *not* saying that i will sign keys blindly or anything, but there are scenarios and groups i interact with where it is meaningful and/or useful to sign a role key, a machine key, or a pseudonymous key, for example. If debian makes up some debian-specific guidelines that say you must not sign pseudonymous keys, i cannot follow those instructions without changing my key (or having a debian-specific key unrelated to my non-debian identity, which seems to defeat the whole point of the binding). Would subkeys help in this scenario? (hint hint, some good docs about real-world subkey usage are needed). -- bye, pabs http://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
