bug#57091: Git authentication reports subkey fingerprints

2022-08-11 Thread Maxime Devos
On 11-08-2022 18:31, Tobias Geerinckx-Rice wrote: * Expiration times and GPG-level revocation must be ignored (for time-travel, and pulling from an old Guix), similarly to why it must be ignored for when no subkeys are used * Someone used to GPG-style subkeys generates a new subkey to r

bug#57091: Git authentication reports subkey fingerprints

2022-08-11 Thread Tobias Geerinckx-Rice via Bug reports for GNU Guix
Hi Maxime, Quick reply mainly to say thanks for replying :-) On 2022-08-11 17:07, Maxime Devos wrote: On 11-08-2022 13:17, Tobias Geerinckx-Rice wrote: Apologies if I'm wildly off the mark here. But then I'd like to hear some plausible threat models. Maxime? Here's a problem with allowing

bug#57091: Git authentication reports subkey fingerprints

2022-08-11 Thread Maxime Devos
On 11-08-2022 13:17, Tobias Geerinckx-Rice wrote: Apologies if I'm wildly off the mark here. But then I'd like to hear some plausible threat models. Maxime? Here's a problem with allowing subkeys, if that's what you mean: * Expiration times and GPG-level revocation must be ignored (for

bug#57091: Git authentication reports subkey fingerprints

2022-08-11 Thread Tobias Geerinckx-Rice via Bug reports for GNU Guix
Of all the stupid typos... >Ludo', are you worried that, since we already handle revocations like GPG would ...DON'T handle, of course, by design. Kind regards, T G-R Sent on the go. Excuse or enjoy my brevity.

bug#57091: Git authentication reports subkey fingerprints

2022-08-11 Thread Tobias Geerinckx-Rice via Bug reports for GNU Guix
This is not a mere UI issue. Basic verification is currently broke^Wdifferent, too, or the latest incident wouldn't have happened. Hmm. I wonder... Ludo', are you worried that, since we already handle revocations like GPG would, the 'proper' OpenPGPmodel could somehow break? That we are in e

bug#57091: Git authentication reports subkey fingerprints

2022-08-11 Thread Ludovic Courtès
Hi, Maxime Devos skribis: > On 09-08-2022 23:07, Ludovic Courtès wrote: >> Hello, >> >> As Tobias explains at >> and >> as can be seen from ‘.guix-authorizations’, the (guix openpgp) and (guix >> git-authenticate) machinery rep

bug#57091: Git authentication reports subkey fingerprints

2022-08-09 Thread Maxime Devos
On 09-08-2022 23:07, Ludovic Courtès wrote: Hello, As Tobias explains at and as can be seen from ‘.guix-authorizations’, the (guix openpgp) and (guix git-authenticate) machinery reports the fingerprint of subkeys on signatures

bug#57091: Git authentication reports subkey fingerprints

2022-08-09 Thread Ludovic Courtès
Hello, As Tobias explains at and as can be seen from ‘.guix-authorizations’, the (guix openpgp) and (guix git-authenticate) machinery reports the fingerprint of subkeys on signatures (when subkeys are used) rather than the fingerp