tech-security: Re: key trust management (Re: adding gpg to src/gnu/dist)

Subject: Re: key trust management (Re: adding gpg to src/gnu/dist)
To: NetBSD Security Technical Discussion List <tech-security@NetBSD.ORG>
From: William Allen Simpson <wsimpson@greendragon.com>
List: tech-security
Date: 05/18/2004 11:45:25

Bill Studenmund wrote:
> 
> For NetBSD releases, I don't think we want a web-of-trust. I think we want
> TNF to say, "This is our release." Or, "This is a developer." Or, "This is
> a security advisory." To paraphrase U.S. President Eisenhower, we want
> "The Buck" to stop with TNF. That's a hierarchical trust model, and I
> think it's exactly what we want for what we're talking about doing.
> 
U.S. President Truman, actually.

I agree that "the buck stops" at TNF.  I disagree that TNF gains that 
trust by being at the top of a tree, without externalities certifying 
that the TNF authority matches some certificate or another. 

The way that X.509 certifies the certificate is the certificate shows 
up in a commercial release of something, and you imply trust in the 
commercial entity.  That's counter-intuitive, especially for this 
application where it's the release itself that is being certified.

Therefore, I don't think that you can have anything other than web of 
trust!  Somebody outside somewhere has to certify the TNF certificate! 
Preferably many somebodies. 

>...
> Also, on a somewhat related but different issue, I think an X.509 v3 based
> certificate system is probably the best way to go as we can add extensions
> to the cert which we in turn can use to encode policy.
> 
This of course is a whole 'nother can of worms.  Is "policy" encoding 
meaningful?  Is machine interpretation of encoded policy meaningful?

Really, all policy interpretation has to be mediated by a human.  It 
could be that each human personally examines and specifies and tests 
the mechanical interpretive code, but that's a bit much to be asking 
for this case (that is, distributing the code). 

That's why web-of-trust is more useful for this application.  The 
identity (and policy) is encoded in a human readable form (for example, 
"NetBSD release 2.0"), and a group of 16 humans of which I can verify 
at least 2 has signed that identity, saying it really is what it says. 

What humans can read is the only thing that matters here.  The policy 
would be that the certificate would only be used for releases, and no 
other policy matters.  
-- 
William Allen Simpson
    Key fingerprint =  17 40 5E 67 15 6F 31 26  DD 0D B9 9B 6A 15 2C 32