Subject: Re: adding gpg to src/gnu/dist
To: None <tech-security@NetBSD.org, tech-userlevel@NetBSD.org>
From: Marc Tooley <netbsdMLpostNO@SPAM.quake.ca>
List: tech-userlevel
Date: 05/17/2004 13:09:58
On Monday 17 May 2004 11:13, Love wrote:
> Marc Tooley <netbsdMLpostNO@SPAM.quake.ca> writes:
> > Am I missing something here? Is this a political decision and I'm
> > just mistaking it for a technical one?
>
> I tried to make you (and other pgp people) answer some question I
> have about pgp.
>
> Message-ID: <amekpndyej.fsf@nutcracker.stacken.kth.se>
> Message-ID: <amvfiyje74.fsf@nutcracker.stacken.kth.se>

I missed these. Sorry.

> 1. How does you solve the problem searching from the trust anchor too
> the signer ? Basicly, why should the user be required to fetch key
> from the keyserver, and if the user needs to fetch key from the
> keyserver, how is the user going to find the keys to fetch to verify
> a signature ?

Beats me. I'm not even sure I understand your question. It's a 
transitive closure problem; however, any web of trust I rely on is 
going to be only one or (at most) two levels deep anyway. It's a 
question of triangulation and reassurance for someone like me.

> 2. How do you rewoke a certifiate, ie revoke what you do in gpg
> speak: "gpg --edit-key 0xHH\nsign\n...."

gpg --gen-revoke ? Or, if you mean a signature, p4 --edit-key blah, then 
"revsig", generate a cert and then distribute the cert. Or do you want 
it to be automated? If it requires a password to unlock your secret 
key, then automation maybe isn't such a good idea.

> 3. pgp provides identity, not what the key is supposed to do. sure,
> the sigature is supposed be just that, but pushing out policy from
> the CA with certifiates are quite useful.
>
>    "all certs with code-signing oid is approved by netbsd
>    core/foundation/developers/whatever to be signer of binary pkgs,
> you already trust netbsd ... by using our software"
>
>    The question is, how do you intent to distribute policy ?

If a security bulletin is signed by a key marked "System Distribution" 
then it clearly says, "This is signed by known key 0x12134, System 
Distribution Manager" I think users would notice.

> 4. How is certifiates time limited, "Al is releng for a year now"

GPG keys have a lifetime on them, you can expire them in X days no 
problem.

> 5. Code quality should not be used as argument when comparing gpg and
>    openssl, neither of them is pretty inside.

The implication was, earlier in the thread, that GPG has a "messier" 
user interface when I don't think that is true.

> 6. I have the code written, including code for policy, where is yours
> ? You can handwave as much as you want, but unless there is working
> code, its all handwaving, and I don't thin handwaving should stop us
> from getting signed packages.

I've already said I have no code. In fact, I very specifically stated, 
"Just my opinion. No code flows from me so of course opinion it'll 
stay, but there it is." Nice term, that..  hand waving I mean. Thanks.

> 7. If you like pgp so much, why don't you use it to sign your mails ?

Because we're having an unimportant discussion, there's no way for you 
to verify my key, you wouldn't expend the effort to verify my key 
anyway, the open-crypto plugin doesn't work on NetBSD's pkgsrc'd kmail, 
and I'm not a rabid cipherpunk?

(I'm aware that the normal GPG plugin works fine.)