Re: [qubes-users] Signatures on the Qubes Master Signing Key

2017-10-15 Thread Unman
On Mon, Oct 16, 2017 at 12:09:30AM +0200, 'Archimedes Cohen' via qubes-users 
wrote:
> Hi,
> 
> I was attempting to verify the Qubes iso image today, but was not
> convinced of its trustworthiness, as the master signing key (or the
> version I have obtained) does seem to be signed by surprisingly little
> people I might trust.
> 
> In [1] it says:
> "In addition, some operating systems have built-in keyrings containing
> keys capable of validating the Qubes Master Signing Key. For example,
> if you have a Debian system, then your debian-keyring may already
> contain the necessary keys."
> 
> However, in my version of the debian keyring, there seems to be only
> one key (Holger Levsen, 091AB856069AAA1C) that has signed the Qubes
> Master Signing Key. This seems to be a suspiciously small number for
> the claim above that the debian-keyring contains the "necessary keys"
> to verify the Qubes Master Signing Key.
> 
> Also, I would expect the key to be signed by people such as Joanna,
> which does not seem to be the case.
> 
> In [1] it also says:
> "The point is, of course, that people must choose who they will trust
> (e.g., Linus Torvalds, Microsoft, the Qubes Project, etc.) and assume
> that if a given file was signed by a trusted party, then it should not
> be malicious or buggy in some horrible way. But the decision of
> whether to trust any given party is beyond the scope of digital
> signatures. It’s more of a sociological and political decision."
> 
> In order to be able to trust the Qubes key, I would like to be able to
> see signatures by people I am reasonably certain exist, are publicly
> known under a certain name, and associated to certain projects, etc,
> and then find paths from my key to theirs in order to verify that the
> key is from who it claims. Unfortunately, I wasn't able to find such
> signatures for the Qubes key. I hope there is a plausible explanation
> for the lack of signatures from the debian keyring and the main Qubes
> developers, or someone points out some silly mistake I made and these
> signatures are in fact present (for now I am assuming that the sources
> I obtained the iso and the key from are compromised). I am attaching
> the list of signatures on my version of the key below [2].
> 
> Cheers
> 
> [1]: https://www.qubes-os.org/security/verifying-signatures/
> 

Hi Archimedes,

One reason why you wont find the key signed by "people like Joanna" is
that they are likely to be using split gpg.
It's one of the downsides of that implementation that one cant sign
other's keys without breaking the security model. (See
www.qubes-os.org/doc/split-gpg)

It isn't really clear to me why you have the constraint that you have in
order to trust the Qubes key. What do you think those people whose
signatures you would accept will have done that you aren't capable of
doing? I doubt that Holger has done anything more than run through the
processes in [1] above before signing the key. And those are processes
that you can do yourself - I'm tempted to say that you SHOULD do them
yourself. Using the WOT may be just part of that validation, and not a
necessary part.
If it helps you can see the key in the mailing list, and in various
youtube talks.

Cheers

unman

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20171016020152.xqps23ctqxinbzy7%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Signatures on the Qubes Master Signing Key

2017-10-15 Thread 'Archimedes Cohen' via qubes-users
Hi,

I was attempting to verify the Qubes iso image today, but was not
convinced of its trustworthiness, as the master signing key (or the
version I have obtained) does seem to be signed by surprisingly little
people I might trust.

In [1] it says:
"In addition, some operating systems have built-in keyrings containing
keys capable of validating the Qubes Master Signing Key. For example,
if you have a Debian system, then your debian-keyring may already
contain the necessary keys."

However, in my version of the debian keyring, there seems to be only
one key (Holger Levsen, 091AB856069AAA1C) that has signed the Qubes
Master Signing Key. This seems to be a suspiciously small number for
the claim above that the debian-keyring contains the "necessary keys"
to verify the Qubes Master Signing Key.

Also, I would expect the key to be signed by people such as Joanna,
which does not seem to be the case.

In [1] it also says:
"The point is, of course, that people must choose who they will trust
(e.g., Linus Torvalds, Microsoft, the Qubes Project, etc.) and assume
that if a given file was signed by a trusted party, then it should not
be malicious or buggy in some horrible way. But the decision of
whether to trust any given party is beyond the scope of digital
signatures. It’s more of a sociological and political decision."

In order to be able to trust the Qubes key, I would like to be able to
see signatures by people I am reasonably certain exist, are publicly
known under a certain name, and associated to certain projects, etc,
and then find paths from my key to theirs in order to verify that the
key is from who it claims. Unfortunately, I wasn't able to find such
signatures for the Qubes key. I hope there is a plausible explanation
for the lack of signatures from the debian keyring and the main Qubes
developers, or someone points out some silly mistake I made and these
signatures are in fact present (for now I am assuming that the sources
I obtained the iso and the key from are compromised). I am attaching
the list of signatures on my version of the key below [2].

Cheers

[1]: https://www.qubes-os.org/security/verifying-signatures/

[2]:
gpg --keyring /usr/share/keyrings/debian-keyring.gpg --list-sigs
DDFA1A3E36879494
pub   rsa4096 2010-04-01 [SC]
  427F11FD0FAA4B080123F01CDDFA1A3E36879494
uid   [ unknown] Qubes Master Signing Key
sig 3DDFA1A3E36879494 2010-04-01  Qubes Master Signing Key
sig  BAB94304346A5D14 2015-07-23  [User ID not found]
sig  A361949B65863FB6 2015-07-23  [User ID not found]
sig  18F4E359596BF4C5 2016-06-28  [User ID not found]
sig  98BA910BDC7CD1DE 2016-01-18  [User ID not found]
sig  E59015807B481F53 2016-10-05  [User ID not found]
sig  BEF78F80C54B1179 2016-11-09  [User ID not found]
sig  A157436DC3D9C2F5 2017-06-18  [User ID not found]
sig  96E9DEEBACA1EC6D 2017-07-08  [User ID not found]
sig  16DDD8FFAAB5B575 2016-04-07  [User ID not found]
sig  EEAC756152B70E0B 2014-05-30  [User ID not found]
sig  E2AE3676843538F4 2014-06-10  [User ID not found]
sig  2067001B1B678A63 2015-12-10  [User ID not found]
sig  8930975B0BA05E1B 2016-06-14  [User ID not found]
sig  DA4230CC10B0B381 2015-03-05  [User ID not found]
sig  77CC0BFDC4D68105 2015-10-12  [User ID not found]
sig  091AB856069AAA1C 2015-12-02  Holger Levsen 
sig  F8C0B051D67CF73E 2017-01-02  [User ID not found]
sig  84E3926ACE3A08AB 2017-02-23  [User ID not found]
sig  ACA61935CAA2A7B8 2017-04-03  [User ID not found]
sig  61D724CD1937CB57 2017-06-02  [User ID not found]
sig  5B062613F489F90F 2017-06-02  [User ID not found]
sig  1F6750FD3CBDCCE0 2012-12-08  [User ID not found]
sig  1620DC5AC6A07D9C 2014-05-24  [User ID not found]
sig  4EB460F79B747005 2016-01-30  [User ID not found]
sig  31407CC0ED45A9B5 2017-01-20  [User ID not found]
sig  29B7C7E57205BD8E 2017-04-10  [User ID not found]
sig 3295C746984AF7F0C 2015-12-11  [User ID not found]
sig 32F99F921BB77E554 2015-12-11  [User ID not found]
sig 30AF62DC0C9D6F090 2015-12-11  [User ID not found]
sig 2A876A8406F3C6AC7 2017-03-25  [User ID not found]
sig  D63F267FBD457A3B 2017-06-12  [User ID not found]
sig  626FDCC7264685B9 2017-06-12  [User ID not found]
sig 34BD7C4EEE2986940 2016-01-04  [User ID not found]
sig  2F6CDC9841891922 2017-09-20  [User ID not found]
sig  153FE398821C8394 2017-01-01  [User ID not found]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit