accepting public GPG keys |
2008-11-09
|
Today I'm doing some cleanup and maintenance work, and going through some pending GStreamer account requests.
I'm not a GPG expert, and I'm sure all of you are, so help me figure this out.
If someone creates a bug report and attaches their public GPG key, why should I trust that it is correct ? What should I do to verify it ?
AFAICT, anyone can file a bugzilla ticket, claim to be some other person B, and ask to change GPG and SSH keys for that person B.
What am I missing ?
You miss nothing,
If you need to change a key, it should be signed with the old one, or be signed by someone you trust (the same apply for a new key).
That’s the purpose of the GPG keys: build a web of trust and trust someone because it’s part of your web (the more far it is, the less you will trust).
That’s for example why we do request applicant for begin Debian Developer to have a GPG key signed by another real Debian developer. That permits to check the people ID at least once by someone every other Debian developer trust.
Comment by Julien Danjou — 2008-11-09 @ 16:18
Attached the public key, or signed the report with the private key? The former is doable by anyone, the latter only by the holder of the private key.
Comment by Wouter van Heyst — 2008-11-09 @ 16:42
Indeed, you have no means to trust such a request if there’s no trust path from your key to his.
Comment by Gonzalo Bermúdez — 2008-11-09 @ 17:54
> If someone creates a bug report and attaches their public GPG key, why should I trust that it is correct ?
There is no reason.
> What should I do to verify it ?
That’s where the “Web of Trust” comes into play. The key in question might have some signatures attached to it. These signatures may come from keys you’ve signed yourself and attached a trust-level to them. The idea is to have a big network of those signatures whichs semantics is “I hereby confirm that the information ,,written on” the key is correct”. To create those networks, people usually go to so called Key Signing Parties. Unfortunately, the GUADEC one was rather under visited.
Comment by Muelli — 2008-11-09 @ 18:35
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1
If the public key is attached, it means nothing. If the message itself is signed, it means it’s been written by the owner of the GPG key (like this comment).
Trusting it or not depends on who signed this GPG key. For exemple you’d probably trust I’m really the one my key says I am, because it’s signed by someone most of us trust ;-)
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFJFyH+S3OlVpbZQYkRAkhCAJ91LSI/RGULMDx2zHJstCr3serNYwCdHwj+
SUbyE4MV4DiBzqrJU8pCyWs=
=AehD
—–END PGP SIGNATURE—–
Comment by Colin — 2008-11-09 @ 18:46
(apart that the plain text has been modified when posting ;-)
Comment by Colin — 2008-11-09 @ 18:48
Anyone can generate e-mail purporting to be just about anyone. Why should you trust it? Presumably you have some way of verifying that person X sent you an e-mail message. If they are someone you know, then you could call them and ask. You can look at the from address and see if it’s the one you are expecting. You can parse through the e-mail headers and attempt to verify where the message came from.
However if you don’t know the person, things get harder. Are they a friend of a friend? Are they a publicly recognized person, who’s e-mail address is on record somewhere? (If so, how do you know if the e-mail with that from address was created by them?)
For the most part e-mail does not on it’s own have a usable way of checking beyond people you know reasonably well.
How much you can trust a GPG key depends strongly on how widely it is used, and how it is being used.
If everyone simply creates a GPG key, and posts it to a public key server, we are in no better of a position to verify identities than the existing smtp distribution system for e-mail. Yes, you can presume that the message signed by a key that validates with the public key that matches the private key, but where did the private key come from? You don’t know.
Unless…
If you sign your friend’s public key when they present it to you themselves, and they do the same for you, then if you receive public key that is signed by that friend’s private key, you can reasonably trust that your friend has met the person who’s key has been signed by them. Presumably. Which is why as Julien points out Debian requires new developers to have a key signed by someone who is already an accepted developer.
You might think that people would think that just because it’s signed by someone else, that must mean that it’s a good key. And by now you probably know that that’s no more of an indication than that someone forwards someone else’s e-mail means that you can rely upon the e-mail I mentioned earlier. In short, it’s not.
However if you have a bunch of signatures you accept as belonging to friends, and accept that at some level they will verify their friends, then you can presume that there is some level of trust related to those keys. Most of us realize that just because you know my friend, doesn’t mean that I’m going to like you, or trust you very much. Most key managers will allow you to assign levels of trust based on how close to your own key another key is signed.
And most of them will assign a value of 0 for any key that hasn’t been signed by anyone in your key ring. Even if a thousand people have signed that key, if no one who’s key happens to be in your key ring is included, it’s not trustworthy. At the same time, unless you are completely ignorant about maintaining the security of your private key, you can presume that any keys that are signed with your private key are acceptably trustworthy. Give them a 7 (or 75% perhaps, depending on how you want to measure it.) And decide how far away from your key you are willing to allow. Perhaps you will accept 2 levels out, give them a 4 and a 1. or so. If lots of your friends have signed those keys, maybe bring the trust level up a bit to a 5 or 6 for 1 level out. and 2 or 3 for the next level.
But no, I wouldn’t recommend trusting a key on a bugzilla server without working with others. That said, if you see good code from such a person, you may want to keep track of that person, and their public key. Beyond that, who knows.
Comment by rusty — 2008-11-09 @ 19:10
Yeah, you’re not missing anything at all. Sadly, in the real world, people think you’re some sort of amazingly horrible arse for even asking for a GPG key in the first place, let alone expecting them to not lose it every three weeks.
Comment by daniels — 2008-11-10 @ 07:44