From: H. Peter Anvin < hpa < at> zytor.com>
Subject: kernel.org status: establishing a PGP web of trust
Newsgroups: gmane.linux.kernel
Date: 2011-09-30 23:50:37 GMT (1 week, 4 days, 4 hours and 47 minutes ago)

Hi all,

Since the kernel.org status announcement last week a number of you
have contacted me about re-establishing credentials.  In order to
establish a proper PGP web of trust we need keys that are cross-signed
by other developers.  As such, we ask that you follow the following
steps:

1. Make sure your systems are uncompromised.  We will address specific
   recommended steps for that in a separate email.

2. Create a new PGP/GPG key, and also generate a key revocation
   certificate (but don't import it anywhere -- save it for the
   future) for your new key.  In the near future we are considering
   setting up an escrow service for key revocation certificates.

   I recommend using a 4096-bit RSA key.  Given how fast computers are
   these days, there is no reason to use a shorter key.  DSA keys
   should be considered obsolete; substantial weaknesses have been
   found in DSA.

   $ gpg --gen-key
   $ gpg -u < key ID> -o < key ID>.revoke --gen-revoke

3. If you are reasonably certain that your old key has never been
   jeopardized, sign the new key with the old key.

   $ gpg -u < your old key ID> --sign-key < your new key ID>

   If you are *not* sure about your old keys, please revoke them if
   you haven't already done so (create a revocation certificate and
   import it into your keyring, then push the key to the key servers.)

   $ gpg -u < your old key ID> -o < your old key ID>.revoke --gen-revoke
   $ gpg --import < your old key ID>.revoke
   $ gpg --keyserver pgp.mit.edu --send-key < your old key ID>

4. Upload the signed keys to the keyserver system (I usually use
   pgp.mit.edu, but most of the keyservers sync with each other with
   roughly a 24-hour delay.)  By publishing the keys we make them
   available not only to kernel.org but for other uses, like signing
   email, and you can verify yourself by looking at http://pgp.mit.edu/
   if there is someone out there who has published a key with your name
   on it.  Furthermore, it allows us to tap other webs of trust already
   established.

   $ gpg --keyserver pgp.mit.edu --send-key < your key ID>

5. Get as many other kernel developers that you have physical access to
   to sign your key after verifying the fingerprint.  Verifying keys
   over the phone is OK if and only if you know them *extremely* well;
   think "would I be willing to testify in court that the person I
   talked to was X"?

   If you work in an office with multiple other Linux developers, it
   would be a very good thing to organize a local key signing.  We will
   do a key signing at Kernel Summit for the core kernel developers.

   A web site with recommendations for running a key signing:

http://www.cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html

   $ gpg --fingerprint < key ID>
   $ gpg --keyserver pgp.mit.edu --recv-key < their key ID>
   $ gpg -u < your key ID> --sign-key < their key ID>
   $ gpg --keyserver pgp.mit.edu --send-key < their key ID>
   $ gpg --keyserver pgp.mit.edu --recv-key < your key ID>

6. Please send me the key identifier and fingerprint to
   < keys < at> zytor.com>.  This is a temporary address until the kernel.org
   MX is ready to put back online; eventually we will probably have a
   web form interface for this.

	-hpa

From: Greg KH < greg < at> kroah.com>
Subject: Re: kernel.org status: establishing a PGP web of trust
Newsgroups: gmane.linux.kernel
Date: 2011-10-01 14:05:19 GMT (1 week, 3 days, 14 hours and 42 minutes ago)

On Fri, Sep 30, 2011 at 04:50:37PM -0700, H. Peter Anvin wrote:
> 2. Create a new PGP/GPG key, and also generate a key revocation
>    certificate (but don't import it anywhere -- save it for the
>    future) for your new key.  In the near future we are considering
>    setting up an escrow service for key revocation certificates.
> 
>    I recommend using a 4096-bit RSA key.  Given how fast computers are
>    these days, there is no reason to use a shorter key.  DSA keys
>    should be considered obsolete; substantial weaknesses have been
>    found in DSA.
> 
>    $ gpg --gen-key
>    $ gpg -u < key ID> -o < key ID>.revoke --gen-revoke

I would recommend a physical access device for your new gpg key that you
create.  I've heard good things about this USB device:
	http://www.crypto-stick.org/
and am trying to have a bunch of them at the Kernel Summit this year to
hand out to people if they want one.

There are also lots of other smart-card form-factor devices that can be
used to store GPG keys.  Some places to purchase these can be found at
links from the above site.

thanks,

greg k-h

From: Rafael J. Wysocki < rjw < at> sisk.pl>
Subject: Re: kernel.org status: establishing a PGP web of trust
Newsgroups: gmane.linux.kernel
Date: 2011-10-01 21:33:55 GMT (1 week, 3 days, 7 hours and 17 minutes ago)

Hi,

On Saturday, October 01, 2011, H. Peter Anvin wrote:
> Hi all,
> 
> Since the kernel.org status announcement last week a number of you
> have contacted me about re-establishing credentials.  In order to
> establish a proper PGP web of trust we need keys that are cross-signed
> by other developers.  As such, we ask that you follow the following
> steps:
> 
> 1. Make sure your systems are uncompromised.  We will address specific
>    recommended steps for that in a separate email.
> 
> 2. Create a new PGP/GPG key, and also generate a key revocation
>    certificate (but don't import it anywhere -- save it for the
>    future) for your new key.  In the near future we are considering
>    setting up an escrow service for key revocation certificates.
> 
>    I recommend using a 4096-bit RSA key.  Given how fast computers are
>    these days, there is no reason to use a shorter key.  DSA keys
>    should be considered obsolete; substantial weaknesses have been
>    found in DSA.
> 
>    $ gpg --gen-key
>    $ gpg -u < key ID> -o < key ID>.revoke --gen-revoke

OK, how long should the new key be valid?

Rafael

From: H. Peter Anvin < hpa < at> zytor.com>
Subject: Re: kernel.org status: establishing a PGP web of trust
Newsgroups: gmane.linux.kernel
Date: 2011-10-01 22:27:02 GMT (1 week, 3 days, 6 hours and 24 minutes ago)

On 10/01/2011 02:33 PM, Rafael J. Wysocki wrote:
> 
> OK, how long should the new key be valid?
> 

That is a good question.  At the very least you want it to be valid for
long enough that you will be able to get enough signatures on a new key
*before* your old key expires.  As such I would recommend 3-5 years
depending on how much you trust yourself to keep the key secure.

Some people have decided to opt for an unlimited key, but that
*requires* that you have a way to revoke the old key, which is why we
are considering a key revocation escrow service.

	-hpa

From: Randy Dunlap < rdunlap < at> xenotime.net>
Subject: Re: kernel.org status: establishing a PGP web of trust
Newsgroups: gmane.linux.kernel
Date: 2011-10-01 22:36:58 GMT (1 week, 3 days, 6 hours and 13 minutes ago)

On 10/01/11 15:27, H. Peter Anvin wrote:
> On 10/01/2011 02:33 PM, Rafael J. Wysocki wrote:
>>
>> OK, how long should the new key be valid?
>>
> 
> That is a good question.  At the very least you want it to be valid for
> long enough that you will be able to get enough signatures on a new key
> *before* your old key expires.  As such I would recommend 3-5 years
> depending on how much you trust yourself to keep the key secure.
> 
> Some people have decided to opt for an unlimited key, but that
> *requires* that you have a way to revoke the old key, which is why we
> are considering a key revocation escrow service.

Who needs these privacy keys?  Is it just (git) users of kernel.org?

so people who send patches via email do not need to do this process?
or are we headed into sign-all-patches territory soonish?

-- 
~Randy
*** Remember to use Documentation/SubmitChecklist when testing your code ***

From: Ted Ts'o < tytso < at> mit.edu>
Subject: Re: kernel.org status: establishing a PGP web of trust
Newsgroups: gmane.linux.kernel
Date: 2011-10-01 22:52:08 GMT (1 week, 3 days, 5 hours and 57 minutes ago)

On Sat, Oct 01, 2011 at 03:36:58PM -0700, Randy Dunlap wrote:
> 
> Who needs these privacy keys?  Is it just (git) users of kernel.org?
> 
> so people who send patches via email do not need to do this process?
> or are we headed into sign-all-patches territory soonish?

There is going to be discussion about security procedures at the
kernel summit; to date we've been focused on the short-term
requirements to get git.kernel.org back up so that the next merge
window can open up, hopefully without getting instantly compromised
again.  That's going to require the help of everyone that we trust,
especially from folks who are maintaining git repositories.

I personally don't think we're headed into sign-all-patches, since
patches still need to be reviewed, and at some level, as long as the
patch is reviewed to be Good Stuff, that's actually the most important
thing.

That being said, if you have a GPG key, and you can participate in a
key signing exercise so that you are part of the web of trust, that
also means that you have a much better ability to trust that git trees
that you pull down to your system that have signed tags are in fact
legitimate (at least up to a signed tag).

So there are good reasons why developers who primarily participate by
e-mailing patches might want to start using GPG.

						- Ted

From: Rafael J. Wysocki < rjw < at> sisk.pl>
Subject: Re: kernel.org status: establishing a PGP web of trust
Newsgroups: gmane.linux.kernel
Date: 2011-10-02 01:04:28 GMT (1 week, 3 days, 4 hours and 4 minutes ago)

On Sunday, October 02, 2011, H. Peter Anvin wrote:
> On 10/01/2011 02:33 PM, Rafael J. Wysocki wrote:
> > 
> > OK, how long should the new key be valid?
> > 
> 
> That is a good question.  At the very least you want it to be valid for
> long enough that you will be able to get enough signatures on a new key
> *before* your old key expires.  As such I would recommend 3-5 years
> depending on how much you trust yourself to keep the key secure.

OK, I'm taking this as "5 years is fine by us".

And the recommended procedure for rotating keys seems to be (1) generate
a new key and (2) make as many people as you can sign it before the old
one expires, right?

> Some people have decided to opt for an unlimited key, but that
> *requires* that you have a way to revoke the old key, which is why we
> are considering a key revocation escrow service.

That service will be necessary anyway in case some keys are lost or
compromised.

I wonder what the procedure of restoring kernel.org access in case one
has lost keys is supposed to be?

Rafael

From: H. Peter Anvin < hpa < at> zytor.com>
Subject: Re: kernel.org status: establishing a PGP web of trust
Newsgroups: gmane.linux.kernel
Date: 2011-10-02 01:04:05 GMT (1 week, 3 days, 4 hours and 4 minutes ago)

On 10/01/2011 06:04 PM, Rafael J. Wysocki wrote:
> 
> OK, I'm taking this as "5 years is fine by us".
> 
> And the recommended procedure for rotating keys seems to be (1) generate
> a new key and (2) make as many people as you can sign it before the old
> one expires, right?
> 

(3) revoke the old key with a status code of "no longer in use", or just
let it expire.

>> Some people have decided to opt for an unlimited key, but that
>> *requires* that you have a way to revoke the old key, which is why we
>> are considering a key revocation escrow service.
> 
> That service will be necessary anyway in case some keys are lost or
> compromised.
> 
> I wonder what the procedure of restoring kernel.org access in case one
> has lost keys is supposed to be?

Get a new key and get it re-signed.  We can work out specific details at KS.

	-hpa

From: Rafael J. Wysocki < rjw < at> sisk.pl>
Subject: Re: kernel.org status: establishing a PGP web of trust
Newsgroups: gmane.linux.kernel
Date: 2011-10-02 11:54:57 GMT (1 week, 2 days, 17 hours and 12 minutes ago)

On Sunday, October 02, 2011, H. Peter Anvin wrote:
> On 10/01/2011 06:04 PM, Rafael J. Wysocki wrote:
> > 
> > OK, I'm taking this as "5 years is fine by us".
> > 
> > And the recommended procedure for rotating keys seems to be (1) generate
> > a new key and (2) make as many people as you can sign it before the old
> > one expires, right?
> > 
> 
> (3) revoke the old key with a status code of "no longer in use", or just
> let it expire.
> 
> >> Some people have decided to opt for an unlimited key, but that
> >> *requires* that you have a way to revoke the old key, which is why we
> >> are considering a key revocation escrow service.
> > 
> > That service will be necessary anyway in case some keys are lost or
> > compromised.
> > 
> > I wonder what the procedure of restoring kernel.org access in case one
> > has lost keys is supposed to be?
> 
> Get a new key and get it re-signed.

Hmm.  That doesn't seem very practical if someone doesn't live close
to any other core kernel developers.

What number of signatures on the key will be regarded as sufficient?

> We can work out specific details at KS.

Well, the KS is going to be busy time this year I suppose.

What about people who haven't been invited to the KS?

Rafael

From: H. Peter Anvin < hpa < at> zytor.com>
Subject: Re: kernel.org status: establishing a PGP web of trust
Newsgroups: gmane.linux.kernel
Date: 2011-10-02 17:53:59 GMT (1 week, 2 days, 11 hours and 12 minutes ago)

On 10/02/2011 04:54 AM, Rafael J. Wysocki wrote:
> On Sunday, October 02, 2011, H. Peter Anvin wrote:
> 
> Hmm.  That doesn't seem very practical if someone doesn't live close
> to any other core kernel developers.
> 

You probably know enough people (including myself) that would be willing
to sign your key over the phone.  That's part of giving yourself
sufficient time.

> What number of signatures on the key will be regarded as sufficient?
> 
>> We can work out specific details at KS.
> 
> Well, the KS is going to be busy time this year I suppose.
> What about people who haven't been invited to the KS?

Well, KS is still a place where we can discuss these kinds of policies;
we can't be a perfect democracy and in fact have never even attempted to.

	-hpa

-- 
H. Peter Anvin, Intel Open Source Technology Center
I work for Intel.  I don't speak on their behalf.

From: Randy Dunlap < rdunlap < at> xenotime.net>
Subject: Re: kernel.org status: establishing a PGP web of trust
Newsgroups: gmane.linux.kernel
Date: 2011-10-02 18:36:05 GMT (1 week, 2 days, 10 hours and 51 minutes ago)

On 10/02/11 04:54, Rafael J. Wysocki wrote:
> On Sunday, October 02, 2011, H. Peter Anvin wrote:
>> On 10/01/2011 06:04 PM, Rafael J. Wysocki wrote:
>>>
>>> OK, I'm taking this as "5 years is fine by us". 
>>>
>>> And the recommended procedure for rotating keys seems to be (1) generate
>>> a new key and (2) make as many people as you can sign it before the old
>>> one expires, right?
>>>
>>
>> (3) revoke the old key with a status code of "no longer in use", or just
>> let it expire.
>>
>>>> Some people have decided to opt for an unlimited key, but that
>>>> *requires* that you have a way to revoke the old key, which is why we
>>>> are considering a key revocation escrow service.
>>>
>>> That service will be necessary anyway in case some keys are lost or
>>> compromised.
>>>
>>> I wonder what the procedure of restoring kernel.org access in case one
>>> has lost keys is supposed to be?
>>
>> Get a new key and get it re-signed.
> 
> Hmm.  That doesn't seem very practical if someone doesn't live close
> to any other core kernel developers.
> 
> What number of signatures on the key will be regarded as sufficient?
> 
>> We can work out specific details at KS.
> 
> Well, the KS is going to be busy time this year I suppose. 
> 
> What about people who haven't been invited to the KS?

They (we) should start building a web of trust with local key signings.
I'm already working on that in Portland, Oregon.

-- 
~Randy
*** Remember to use Documentation/SubmitChecklist when testing your code ***

From: Guenter Roeck < guenter.roeck < at> ericsson.com>
Subject: Re: kernel.org status: establishing a PGP web of trust
Newsgroups: gmane.linux.kernel
Date: 2011-10-02 22:54:34 GMT (1 week, 2 days, 6 hours and 32 minutes ago)

On Sun, Oct 02, 2011 at 02:36:05PM -0400, Randy Dunlap wrote:
> On 10/02/11 04:54, Rafael J. Wysocki wrote:
> > On Sunday, October 02, 2011, H. Peter Anvin wrote:
> >> On 10/01/2011 06:04 PM, Rafael J. Wysocki wrote:
> >>>
> >>> OK, I'm taking this as "5 years is fine by us".
> >>>
> >>> And the recommended procedure for rotating keys seems to be (1) generate
> >>> a new key and (2) make as many people as you can sign it before the old
> >>> one expires, right?
> >>>
> >>
> >> (3) revoke the old key with a status code of "no longer in use", or just
> >> let it expire.
> >>
> >>>> Some people have decided to opt for an unlimited key, but that
> >>>> *requires* that you have a way to revoke the old key, which is why we
> >>>> are considering a key revocation escrow service.
> >>>
> >>> That service will be necessary anyway in case some keys are lost or
> >>> compromised.
> >>>
> >>> I wonder what the procedure of restoring kernel.org access in case one
> >>> has lost keys is supposed to be?
> >>
> >> Get a new key and get it re-signed.
> > 
> > Hmm.  That doesn't seem very practical if someone doesn't live close
> > to any other core kernel developers.
> > 
> > What number of signatures on the key will be regarded as sufficient?
> > 
> >> We can work out specific details at KS.
> > 
> > Well, the KS is going to be busy time this year I suppose.
> > 
> > What about people who haven't been invited to the KS?
> 
> They (we) should start building a web of trust with local key signings.
> I'm already working on that in Portland, Oregon.
> 
Anyone in Silicon Valley looking for key signings, please get in touch.

Thanks,
Guenter

From: H. Peter Anvin < hpa < at> zytor.com>
Subject: Re: kernel.org status: establishing a PGP web of trust
Newsgroups: gmane.linux.kernel
Date: 2011-10-02 22:58:14 GMT (1 week, 2 days, 6 hours and 28 minutes ago)

On 10/02/2011 03:54 PM, Guenter Roeck wrote:
>>
> Anyone in Silicon Valley looking for key signings, please get in touch.
> 

I would be happy to be there, and I know Olof Johansson has been talking
about one.

	-hpa

From: Olof Johansson < olof < at> lixom.net>
Subject: Re: kernel.org status: establishing a PGP web of trust
Newsgroups: gmane.linux.kernel
Date: 2011-10-02 23:23:40 GMT (1 week, 2 days, 6 hours and 2 minutes ago)

On Sun, Oct 2, 2011 at 3:58 PM, H. Peter Anvin < hpa < at> zytor.com> wrote:
> On 10/02/2011 03:54 PM, Guenter Roeck wrote:
>>>
>> Anyone in Silicon Valley looking for key signings, please get in touch.
>>
>
> I would be happy to be there, and I know Olof Johansson has been talking
> about one.

Yeah, I don't think there's enough interest(?) to justify a full-blown
key signing party, but meeting up at a coffee shop or something sounds
like a good idea.

-Olof

From: H. Peter Anvin < hpa < at> zytor.com>
Subject: Re: kernel.org status: establishing a PGP web of trust
Newsgroups: gmane.linux.kernel
Date: 2011-10-02 23:27:26 GMT (1 week, 2 days, 5 hours and 58 minutes ago)

On 10/02/2011 04:23 PM, Olof Johansson wrote:
> On Sun, Oct 2, 2011 at 3:58 PM, H. Peter Anvin < hpa < at> zytor.com> wrote:
>> On 10/02/2011 03:54 PM, Guenter Roeck wrote:
>>>>
>>> Anyone in Silicon Valley looking for key signings, please get in touch.
>>>
>>
>> I would be happy to be there, and I know Olof Johansson has been talking
>> about one.
> 
> 
> Yeah, I don't think there's enough interest(?) to justify a full-blown
> key signing party, but meeting up at a coffee shop or something sounds
> like a good idea.
> 

FWIW, Tuesday evening works really well for me.

	-hpa

From: Jeremy Fitzhardinge < jeremy < at> goop.org>
Subject: Re: kernel.org status: establishing a PGP web of trust
Newsgroups: gmane.linux.kernel
Date: 2011-10-03 00:44:49 GMT (1 week, 2 days, 4 hours and 39 minutes ago)

On 10/02/2011 04:27 PM, H. Peter Anvin wrote:
> On 10/02/2011 04:23 PM, Olof Johansson wrote:
>> On Sun, Oct 2, 2011 at 3:58 PM, H. Peter Anvin < hpa < at> zytor.com> wrote:
>>> On 10/02/2011 03:54 PM, Guenter Roeck wrote:
>>>> Anyone in Silicon Valley looking for key signings, please get in touch.
>>>>
>>> I would be happy to be there, and I know Olof Johansson has been talking
>>> about one.
>>
>> Yeah, I don't think there's enough interest(?) to justify a full-blown
>> key signing party, but meeting up at a coffee shop or something sounds
>> like a good idea.
>>
> FWIW, Tuesday evening works really well for me.

How many people are in San Francisco?  I'm happy to head down to
Mountain View or somewhere similar to meet up some mid-afternoon though.

    J

From: Ted Ts'o < tytso < at> mit.edu>
Subject: Re: kernel.org status: establishing a PGP web of trust
Newsgroups: gmane.linux.kernel
Date: 2011-10-03 01:09:18 GMT (1 week, 2 days, 4 hours and 14 minutes ago)

On Sun, Oct 02, 2011 at 05:44:49PM -0700, Jeremy Fitzhardinge wrote:
> > FWIW, Tuesday evening works really well for me.
> 
> How many people are in San Francisco?  I'm happy to head down to
> Mountain View or somewhere similar to meet up some mid-afternoon though.

I could meet people Monday afternoon or evening in Mountain View;
contact me privately if you're interested.  Tuesday evening doesn't
work for me since I'm flying up to Portland for a LF board meeting on
Wednesday.

Both Peter and I have signed the new GPG key that Linus has created;
I can also verify folks for CACert.

						- Ted

From: H. Peter Anvin < hpa < at> zytor.com>
Subject: Re: kernel.org status: establishing a PGP web of trust
Newsgroups: gmane.linux.kernel
Date: 2011-10-03 01:22:07 GMT (1 week, 2 days, 16 hours and 32 minutes ago)

On 10/02/2011 06:09 PM, Ted Ts'o wrote:
> On Sun, Oct 02, 2011 at 05:44:49PM -0700, Jeremy Fitzhardinge wrote:
>>> FWIW, Tuesday evening works really well for me.
>>
>> How many people are in San Francisco?  I'm happy to head down to
>> Mountain View or somewhere similar to meet up some mid-afternoon though.
> 
> I could meet people Monday afternoon or evening in Mountain View;
> contact me privately if you're interested.  Tuesday evening doesn't
> work for me since I'm flying up to Portland for a LF board meeting on
> Wednesday.
> 
> Both Peter and I have signed the new GPG key that Linus has created;
> I can also verify folks for CACert.
> 

Junio and a few others have tried to get a keysigning together for the
Google MTV people ... if we could do that on Monday that would be a
really good thing.

	-hpa

From: Andrew Morton < akpm00 < at> gmail.com>
Subject: Re: kernel.org status: establishing a PGP web of trust
Newsgroups: gmane.linux.kernel
Date: 2011-10-03 01:42:34 GMT (1 week, 2 days, 16 hours and 11 minutes ago)

On Sun, 02 Oct 2011 18:22:07 -0700 "H. Peter Anvin" < hpa < at> zytor.com> wrote:

> On 10/02/2011 06:09 PM, Ted Ts'o wrote:
> > On Sun, Oct 02, 2011 at 05:44:49PM -0700, Jeremy Fitzhardinge wrote:
> >>> FWIW, Tuesday evening works really well for me.
> >>
> >> How many people are in San Francisco?  I'm happy to head down to
> >> Mountain View or somewhere similar to meet up some mid-afternoon though.
> > 
> > I could meet people Monday afternoon or evening in Mountain View;
> > contact me privately if you're interested.  Tuesday evening doesn't
> > work for me since I'm flying up to Portland for a LF board meeting on
> > Wednesday.
> > 
> > Both Peter and I have signed the new GPG key that Linus has created;
> > I can also verify folks for CACert.
> > 
> 
> Junio and a few others have tried to get a keysigning together for the
> Google MTV people ... if we could do that on Monday that would be a
> really good thing.

That works for me.  Please let us know precisely what preparatory
things need to be done?

From: H. Peter Anvin < hpa < at> zytor.com>
Subject: Re: kernel.org status: establishing a PGP web of trust
Newsgroups: gmane.linux.kernel
Date: 2011-10-03 01:43:12 GMT (1 week, 2 days, 16 hours and 9 minutes ago)

On 10/02/2011 06:42 PM, Andrew Morton wrote:
>>
>> Junio and a few others have tried to get a keysigning together for the
>> Google MTV people ... if we could do that on Monday that would be a
>> really good thing.
> 
> That works for me.  Please let us know precisely what preparatory
> things need to be done?

1. Find a place to meet.  If available, maybe we could get a conference
room at Google for the actual meet-up (might be a bit more practical
than meeting in a cafe with laptops and all.)

2. Collect people's key IDs and download them from the keyserver.

3. Print out enough copies of the fingerprints on paper.

	-hpa

From: Geoff Levand < geoff < at> infradead.org>
Subject: Re: kernel.org status: establishing a PGP web of trust
Newsgroups: gmane.linux.kernel
Date: 2011-10-03 03:15:01 GMT (1 week, 2 days, 14 hours and 37 minutes ago)

On 10/02/2011 06:43 PM, H. Peter Anvin wrote:
> On 10/02/2011 06:42 PM, Andrew Morton wrote:
>>>
>>> Junio and a few others have tried to get a keysigning together for the
>>> Google MTV people ... if we could do that on Monday that would be a
>>> really good thing.
>> 
>> That works for me.  Please let us know precisely what preparatory
>> things need to be done?
> 
> 1. Find a place to meet.  If available, maybe we could get a conference
> room at Google for the actual meet-up (might be a bit more practical
> than meeting in a cafe with laptops and all.)

So would this be just for Google people, or can the general public come?

-Geoff

From: Ted Ts'o < tytso < at> mit.edu>
Subject: Re: kernel.org status: establishing a PGP web of trust
Newsgroups: gmane.linux.kernel
Date: 2011-10-03 03:29:34 GMT (1 week, 2 days, 14 hours and 21 minutes ago)

On Sun, Oct 02, 2011 at 08:15:01PM -0700, Geoff Levand wrote:
> > 1. Find a place to meet.  If available, maybe we could get a conference
> > room at Google for the actual meet-up (might be a bit more practical
> > than meeting in a cafe with laptops and all.)
> 
> So would this be just for Google people, or can the general public come?

The one which I'm setting up for tomorrow (Monday) at 2pm can be for
non-Google who are local to Mountain View as well.  I'd ask you to
show up 5 minutes early so I can meet you at the lobby and sign you
in.

	      	       	    	       - Ted

From: Dmitry Torokhov < dmitry.torokhov < at> gmail.com>
Subject: Re: kernel.org status: establishing a PGP web of trust
Newsgroups: gmane.linux.kernel
Date: 2011-10-03 03:38:27 GMT (1 week, 2 days, 14 hours and 12 minutes ago)

On Sunday, October 02, 2011 08:29:34 PM Ted Ts'o wrote:
> On Sun, Oct 02, 2011 at 08:15:01PM -0700, Geoff Levand wrote:
> > > 1. Find a place to meet.  If available, maybe we could get a
> > > conference room at Google for the actual meet-up (might be a bit
> > > more practical than meeting in a cafe with laptops and all.)
> > 
> > So would this be just for Google people, or can the general public
> > come?
> 
> The one which I'm setting up for tomorrow (Monday) at 2pm can be for
> non-Google who are local to Mountain View as well.  I'd ask you to
> show up 5 minutes early so I can meet you at the lobby and sign you
> in.

What building is this? I'd like to stop by as well...

-- 
Dmitry

From: Ted Ts'o < tytso < at> mit.edu>
Subject: Re: kernel.org status: establishing a PGP web of trust
Newsgroups: gmane.linux.kernel
Date: 2011-10-03 03:54:55 GMT (1 week, 2 days, 13 hours and 54 minutes ago)

On Sun, Oct 02, 2011 at 08:38:27PM -0700, Dmitry Torokhov wrote:
> On Sunday, October 02, 2011 08:29:34 PM Ted Ts'o wrote:
> > On Sun, Oct 02, 2011 at 08:15:01PM -0700, Geoff Levand wrote:
> > > > 1. Find a place to meet.  If available, maybe we could get a
> > > > conference room at Google for the actual meet-up (might be a bit
> > > > more practical than meeting in a cafe with laptops and all.)
> > > 
> > > So would this be just for Google people, or can the general public
> > > come?
> > 
> > The one which I'm setting up for tomorrow (Monday) at 2pm can be for
> > non-Google who are local to Mountain View as well.  I'd ask you to
> > show up 5 minutes early so I can meet you at the lobby and sign you
> > in.
> 
> What building is this? I'd like to stop by as well...

I'll send out directions to the building on the Mountain View campus
when people send me their key id's, so I can have some idea how many
people will be showing up.

					- Ted

From: Andrew Morton < akpm00 < at> gmail.com>
Subject: Re: kernel.org status: establishing a PGP web of trust
Newsgroups: gmane.linux.kernel
Date: 2011-10-03 04:02:15 GMT (1 week, 2 days, 13 hours and 45 minutes ago)

On Sun, 2 Oct 2011 23:54:55 -0400 "Ted Ts'o" < tytso < at> mit.edu> wrote:

> On Sun, Oct 02, 2011 at 08:38:27PM -0700, Dmitry Torokhov wrote:
> > On Sunday, October 02, 2011 08:29:34 PM Ted Ts'o wrote:
> > > On Sun, Oct 02, 2011 at 08:15:01PM -0700, Geoff Levand wrote:
> > > > > 1. Find a place to meet.  If available, maybe we could get a
> > > > > conference room at Google for the actual meet-up (might be a bit
> > > > > more practical than meeting in a cafe with laptops and all.)
> > > > 
> > > > So would this be just for Google people, or can the general public
> > > > come?
> > > 
> > > The one which I'm setting up for tomorrow (Monday) at 2pm can be for
> > > non-Google who are local to Mountain View as well.  I'd ask you to
> > > show up 5 minutes early so I can meet you at the lobby and sign you
> > > in.
> > 
> > What building is this? I'd like to stop by as well...
> 
> I'll send out directions to the building on the Mountain View campus
> when people send me their key id's, so I can have some idea how many
> people will be showing up.
> 

Guys, I for one haven't had to futz with key generation in at least
five years.

Please, tell us (or me, at least) what to do.  As in "type this".

From: Ted Ts'o < tytso < at> mit.edu>
Subject: Re: kernel.org status: establishing a PGP web of trust
Newsgroups: gmane.linux.kernel
Date: 2011-10-03 04:33:20 GMT (1 week, 2 days, 13 hours and 13 minutes ago)

On Sun, Oct 02, 2011 at 09:02:15PM -0700, Andrew Morton wrote:
> 
> Guys, I for one haven't had to futz with key generation in at least
> five years.
> 
> Please, tell us (or me, at least) what to do.  As in "type this".

Step-by-step instructions can be found here:

http://cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html#prep

							- Ted

From: Adrian Bunk < bunk < at> stusta.de>
Subject: Re: kernel.org status: establishing a PGP web of trust
Newsgroups: gmane.linux.kernel
Date: 2011-10-03 09:32:39 GMT (1 week, 1 day, 19 hours and 33 minutes ago)

On Sun, Oct 02, 2011 at 10:53:59AM -0700, H. Peter Anvin wrote:
> On 10/02/2011 04:54 AM, Rafael J. Wysocki wrote:
> > On Sunday, October 02, 2011, H. Peter Anvin wrote:
> > 
> > Hmm.  That doesn't seem very practical if someone doesn't live close
> > to any other core kernel developers.
> > 
> 
> You probably know enough people (including myself) that would be willing
> to sign your key over the phone.
>...

You have personally checked Rafael's user id (e.g. passport)?

This might or might not be true in this case, but generally signing keys 
without having ever checked the user id (no matter how long you know the 
person) is a common mistake.

> 	-hpa

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

From: Frank Ch. Eigler < fche < at> redhat.com>
Subject: Re: kernel.org status: establishing a PGP web of trust
Newsgroups: gmane.linux.kernel
Date: 2011-10-03 16:28:17 GMT (1 week, 1 day, 12 hours and 37 minutes ago)

bunk  stusta.de wrote:

> [...]
>> You probably know enough people (including myself) that would be willing
>> to sign your key over the phone.
>>...
>
> You have personally checked Rafael's user id (e.g. passport)?
>
> This might or might not be true in this case, but generally signing keys 
> without having ever checked the user id (no matter how long you know the 
> person) is a common mistake.

What is the threat that this passport checking is intended to cure?
That someone else might have been impersonating Rafael for years,
sending patches, chatting in email and over the phone, and attending
conferences?  If so, perhaps the impostor is of more value to the
project than the Real Rafael.

- FChE

From: Adrian Bunk < bunk < at> stusta.de>
Subject: Re: kernel.org status: establishing a PGP web of trust
Newsgroups: gmane.linux.kernel
Date: 2011-10-03 18:04:41 GMT (1 week, 1 day and 11 hours ago)

On Mon, Oct 03, 2011 at 12:28:17PM -0400, Frank Ch. Eigler wrote:
> 
> bunk  stusta.de wrote:
> 
> > [...]
> >> You probably know enough people (including myself) that would be willing
> >> to sign your key over the phone.
> >>...
> >
> > You have personally checked Rafael's user id (e.g. passport)?
> >
> > This might or might not be true in this case, but generally signing keys 
> > without having ever checked the user id (no matter how long you know the 
> > person) is a common mistake.
> 
> What is the threat that this passport checking is intended to cure?
> That someone else might have been impersonating Rafael for years,
> sending patches, chatting in email and over the phone, and attending
> conferences?

Key signing is an identity check.

> If so, perhaps the impostor is of more value to the
> project than the Real Rafael.

Pseudonymous contributions to the kernel are not allowed.

> - FChE

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

From: < Valdis.Kletnieks < at> vt.edu>
Subject: Re: kernel.org status: establishing a PGP web of trust
Newsgroups: gmane.linux.kernel
Date: 2011-10-04 20:29:48 GMT (1 week, 8 hours and 34 minutes ago)

On Mon, 03 Oct 2011 21:04:41 +0300, Adrian Bunk said:
> On Mon, Oct 03, 2011 at 12:28:17PM -0400, Frank Ch. Eigler wrote:

> > What is the threat that this passport checking is intended to cure?
> > That someone else might have been impersonating Rafael for years,
> > sending patches, chatting in email and over the phone, and attending
> > conferences?
>
> Key signing is an identity check.

That's dodging the issue. Somehow, I don't see Andrew Morton asking Linus to
sign his key, and Linus saying "How do I know you're the *real* Andrew Morton?"
And Andrew is a clever guy, if he was a fake Andrew, I'm sure he'd have gotten
a fake ID that would be good enough to fool Linus, who is also a clever guy but
I'm not aware of any special background he has in forgery detection. ;)

The more important point is that as far as the linux-kernel community is
concerned, the guy we've all seen show up at conferences and present stuff all
these times *is* Andrew Morton, even if his real name is George Q. Smith and
he's been on the run for the last 27 years for an embarassing incident
involving an ostrich, the mayor's daughter, and 17 gallons of mineral oil in
the atrium of the museum. ;)

The ID check is  to connect an actual person to the claimed key, and primarily
intended for key signing parties and the like, where people *don't* know each
other very well. I think there's something like 5 people on the linux-kernel
list who actually know me in real life, because I don't travel much and I'm
rather in the boonies.  If I asked anybody *else* who I'd not met before to
sign my key, yes, I'd expect them to check my ID, to ensure I wasn't somebody
trying to pull a fast one at the keysigning party.

> > If so, perhaps the impostor is of more value to the
> > project than the Real Rafael.
> 
> Pseudonymous contributions to the kernel are not allowed.

See above - whoever Andrew Morton *really* is, his contributions are hardly
pseudonymous.

From: Adrian Bunk < bunk < at> stusta.de>
Subject: Re: kernel.org status: establishing a PGP web of trust
Newsgroups: gmane.linux.kernel
Date: 2011-10-04 22:39:32 GMT (1 week, 6 hours and 23 minutes ago)

On Tue, Oct 04, 2011 at 04:29:48PM -0400, Valdis.Kletnieks  vt.edu wrote:
> On Mon, 03 Oct 2011 21:04:41 +0300, Adrian Bunk said:
> > On Mon, Oct 03, 2011 at 12:28:17PM -0400, Frank Ch. Eigler wrote:
> 
> > > What is the threat that this passport checking is intended to cure?
> > > That someone else might have been impersonating Rafael for years,
> > > sending patches, chatting in email and over the phone, and attending
> > > conferences?
> >
> > Key signing is an identity check.
> 
> That's dodging the issue. Somehow, I don't see Andrew Morton asking Linus to
> sign his key, and Linus saying "How do I know you're the *real* Andrew Morton?"
> And Andrew is a clever guy, if he was a fake Andrew, I'm sure he'd have gotten
> a fake ID that would be good enough to fool Linus, who is also a clever guy but
> I'm not aware of any special background he has in forgery detection. ;)
> 
> The more important point is that as far as the linux-kernel community is
> concerned, the guy we've all seen show up at conferences and present stuff all
> these times *is* Andrew Morton, even if his real name is George Q. Smith and
> he's been on the run for the last 27 years for an embarassing incident
> involving an ostrich, the mayor's daughter, and 17 gallons of mineral oil in
> the atrium of the museum. ;)
> 
> The ID check is  to connect an actual person to the claimed key, and primarily
> intended for key signing parties and the like, where people *don't* know each
> other very well. I think there's something like 5 people on the linux-kernel
> list who actually know me in real life, because I don't travel much and I'm
> rather in the boonies.  If I asked anybody *else* who I'd not met before to
> sign my key, yes, I'd expect them to check my ID, to ensure I wasn't somebody
> trying to pull a fast one at the keysigning party.

If you just want to be sure that patch number 100 comes from the same
person as the 99 patches before you could do that without key signing 
(require signed patches and check that all 100 patches were signed by
 the same key).

But the semantics of PGP key signing is that you certify that you 
verified that a photo ID of that person matches the name on the key.

No matter if that's needed for kernel purposes.
And no matter if it's possible to present you a fake ID.

One might discuss what requirements for access to kernel.org machines make 
sense or not, but when you sign a key you have to check a photo ID first.

> > > If so, perhaps the impostor is of more value to the
> > > project than the Real Rafael.
> > 
> > Pseudonymous contributions to the kernel are not allowed.
> 
> See above - whoever Andrew Morton *really* is, his contributions are hardly
> pseudonymous.

Each time a patch goes through him into the kernel, he certifies that 
his real name is Andrew Morton.

If that would not be his real name, it would make him somewhere between 
completely untrustable and punishable at court.

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

From: Frank Ch. Eigler < fche < at> redhat.com>
Subject: Re: kernel.org status: establishing a PGP web of trust
Newsgroups: gmane.linux.kernel
Date: 2011-10-04 23:17:30 GMT (1 week, 5 hours and 45 minutes ago)

Hi -

On Wed, Oct 05, 2011 at 01:39:32AM +0300, Adrian Bunk wrote:

> [...]  But the semantics of PGP key signing is that you certify that
> you verified that a photo ID of that person matches the name on the
> key.  [...]

But that's begging the question.  The semantics are what you want them
to be.  Some keysigning parties take this super seriously, and maybe
with strangers there's some room for this.  But in the end, when *I*
see a key with someone else's signature on it, there is no proof how
rigorously they investigated the person.  The "reliable identity" part
of the web of trust is only one hop deep.

- FChE

From: Adrian Bunk < bunk < at> stusta.de>
Subject: Re: kernel.org status: establishing a PGP web of trust
Newsgroups: gmane.linux.kernel
Date: 2011-10-05 07:54:39 GMT (6 days, 21 hours and 7 minutes ago)

On Tue, Oct 04, 2011 at 07:17:30PM -0400, Frank Ch. Eigler wrote:
> Hi -
> 
> On Wed, Oct 05, 2011 at 01:39:32AM +0300, Adrian Bunk wrote:
> 
> > [...]  But the semantics of PGP key signing is that you certify that
> > you verified that a photo ID of that person matches the name on the
> > key.  [...]
> 
> But that's begging the question.  The semantics are what you want them
> to be.  Some keysigning parties take this super seriously, and maybe
> with strangers there's some room for this.  But in the end, when *I*
> see a key with someone else's signature on it, there is no proof how
> rigorously they investigated the person.  The "reliable identity" part
> of the web of trust is only one hop deep.

That is a rigid policy, but not the only one.

And it has practical limitations - "Key must be signed
by H. Peter Anvin" might be a consequence for kernel.org.

What policy is now used at kernel.org now is exactly the question
I asked in [1], and where I'm still waiting for an answer from hpa.

Other organizations like Debian have a clear and public policy on 
what is required for the user identification part for uploading to
the archive [2], and I expect the same for kernel.org.

> - FChE

cu
Adrian

[1] https://lkml.org/lkml/2011/10/3/362
[2] http://www.debian.org/devel/join/nm-step2

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

From: Ted Ts'o < tytso < at> mit.edu>
Subject: Re: kernel.org status: establishing a PGP web of trust
Newsgroups: gmane.linux.kernel
Date: 2011-10-05 17:06:16 GMT (6 days, 11 hours and 54 minutes ago)

On Wed, Oct 05, 2011 at 10:54:39AM +0300, Adrian Bunk wrote:
> 
> What policy is now used at kernel.org now is exactly the question
> I asked in [1], and where I'm still waiting for an answer from hpa.
> 
> Other organizations like Debian have a clear and public policy on 
> what is required for the user identification part for uploading to
> the archive [2], and I expect the same for kernel.org.

Peter has already said "are you prepared to swear in court".
Government issued ID is one way (although any US high school student
knows how easy it is to get fake ID); personal knowledge of someone's
speach patterns plus common history generated by years of talking to
that person at conferences and/or concalls, is another way.

When I bootstrapped Linus's key, he and I talked on the phone, and I
knew him well enough by our conversation my recognizing his speach
patterns that I was prepared to certify his key even though I've never
seen his government ID.  That being said, I also know and trust Jim
Zemlin well enough to know trust that the person employed by the Linux
Foundation had his ID and right to work checked per US employment law,
and and that the person I talked to was the same person who is
employed by the Linux Foundation.  Realistically, I'm far more sure of
Linus's identity than I would be of some random Debian developer who
got his key signed after some quick impromptu verification of what
appeared to be a governement-issued ID at some conference.

						- Ted

From: Adrian Bunk < bunk < at> stusta.de>
Subject: Re: kernel.org status: establishing a PGP web of trust
Newsgroups: gmane.linux.kernel
Date: 2011-10-05 19:23:49 GMT (6 days, 9 hours and 51 minutes ago)

On Wed, Oct 05, 2011 at 01:06:16PM -0400, Ted Ts'o wrote:
> On Wed, Oct 05, 2011 at 10:54:39AM +0300, Adrian Bunk wrote:
> > 
> > What policy is now used at kernel.org now is exactly the question
> > I asked in [1], and where I'm still waiting for an answer from hpa.
> > 
> > Other organizations like Debian have a clear and public policy on 
> > what is required for the user identification part for uploading to
> > the archive [2], and I expect the same for kernel.org.
> 
> Peter has already said "are you prepared to swear in court".
> Government issued ID is one way (although any US high school student
> knows how easy it is to get fake ID); personal knowledge of someone's
> speach patterns plus common history generated by years of talking to
> that person at conferences and/or concalls, is another way.
> 
> When I bootstrapped Linus's key, he and I talked on the phone, and I
> knew him well enough by our conversation my recognizing his speach
> patterns that I was prepared to certify his key even though I've never
> seen his government ID.  That being said, I also know and trust Jim
> Zemlin well enough to know trust that the person employed by the Linux
> Foundation had his ID and right to work checked per US employment law,
> and and that the person I talked to was the same person who is
> employed by the Linux Foundation.  Realistically, I'm far more sure of
> Linus's identity than I would be of some random Debian developer who
> got his key signed after some quick impromptu verification of what
> appeared to be a governement-issued ID at some conference.

That was not what I was talking about in the email you are answering to.

Let me paraphrase my question:
"Whose signatures do I need on my key so that it will be accepted
 at kernel.org?"

With that information I can check if one email to a few local people to 
have a local keysigning is enough.

Or if I have to bother Linus to meet me and sign my key the next
time he is here in Helsinki.

> 						- Ted

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

From: Adrian Bunk < bunk < at> stusta.de>
Subject: Re: kernel.org status: establishing a PGP web of trust
Newsgroups: gmane.linux.kernel
Date: 2011-10-05 19:50:24 GMT (6 days, 9 hours and 24 minutes ago)

On Wed, Oct 05, 2011 at 10:23:49PM +0300, Adrian Bunk wrote:
> On Wed, Oct 05, 2011 at 01:06:16PM -0400, Ted Ts'o wrote:
> > On Wed, Oct 05, 2011 at 10:54:39AM +0300, Adrian Bunk wrote:
> > > 
> > > What policy is now used at kernel.org now is exactly the question
> > > I asked in [1], and where I'm still waiting for an answer from hpa.
> > > 
> > > Other organizations like Debian have a clear and public policy on 
> > > what is required for the user identification part for uploading to
> > > the archive [2], and I expect the same for kernel.org.
> > 
> > Peter has already said "are you prepared to swear in court".
> > Government issued ID is one way (although any US high school student
> > knows how easy it is to get fake ID); personal knowledge of someone's
> > speach patterns plus common history generated by years of talking to
> > that person at conferences and/or concalls, is another way.
> > 
> > When I bootstrapped Linus's key, he and I talked on the phone, and I
> > knew him well enough by our conversation my recognizing his speach
> > patterns that I was prepared to certify his key even though I've never
> > seen his government ID.  That being said, I also know and trust Jim
> > Zemlin well enough to know trust that the person employed by the Linux
> > Foundation had his ID and right to work checked per US employment law,
> > and and that the person I talked to was the same person who is
> > employed by the Linux Foundation.  Realistically, I'm far more sure of
> > Linus's identity than I would be of some random Debian developer who
> > got his key signed after some quick impromptu verification of what
> > appeared to be a governement-issued ID at some conference.
> 
> That was not what I was talking about in the email you are answering to.
> 
> Let me paraphrase my question:
> "Whose signatures do I need on my key so that it will be accepted
>  at kernel.org?"
> 
> With that information I can check if one email to a few local people to 
> have a local keysigning is enough.
> 
> Or if I have to bother Linus to meet me and sign my key the next
> time he is here in Helsinki.

Or even one step further:
Perhaps my old existing key is good enough?

- It is in the Debian emeritus keyring.
- The fingerprint is in CREDITS of the kernel since 2.6.10 in 2004.
- The fingerprint was in the context of the commit when I updated
  my CREDITS entry in 2008.
- In the unlikely case that an intruder is on my system, he will
  anyway get my new key and passphrase immediately. [1]

cu
Adrian

[1] I did check what Greg recommended in his email, but I'm not gonna 
    wipe my complete installation (including wiping /home) unless 
    someone can point at something indicating that there's a break-in
    at my machine.

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

From: Arnaud Lacombe < lacombar < at> gmail.com>
Subject: Re: kernel.org status: establishing a PGP web of trust
Newsgroups: gmane.linux.kernel
Date: 2011-10-05 20:00:39 GMT (6 days, 9 hours and 18 minutes ago)

Hi,

On Tue, Oct 4, 2011 at 6:39 PM, Adrian Bunk < bunk < at> stusta.de> wrote:
> On Tue, Oct 04, 2011 at 04:29:48PM -0400, Valdis.Kletnieks  vt.edu wrote:
>> On Mon, 03 Oct 2011 21:04:41 +0300, Adrian Bunk said:
>> > On Mon, Oct 03, 2011 at 12:28:17PM -0400, Frank Ch. Eigler wrote:
>>
>> > > What is the threat that this passport checking is intended to cure?
>> > > That someone else might have been impersonating Rafael for years,
>> > > sending patches, chatting in email and over the phone, and attending
>> > > conferences?
>> >
>> > Key signing is an identity check.
>>
>> That's dodging the issue. Somehow, I don't see Andrew Morton asking Linus to
>> sign his key, and Linus saying "How do I know you're the *real* Andrew Morton?"
>> And Andrew is a clever guy, if he was a fake Andrew, I'm sure he'd have gotten
>> a fake ID that would be good enough to fool Linus, who is also a clever guy but
>> I'm not aware of any special background he has in forgery detection. ;)
>>
>> The more important point is that as far as the linux-kernel community is
>> concerned, the guy we've all seen show up at conferences and present stuff all
>> these times *is* Andrew Morton, even if his real name is George Q. Smith and
>> he's been on the run for the last 27 years for an embarassing incident
>> involving an ostrich, the mayor's daughter, and 17 gallons of mineral oil in
>> the atrium of the museum. ;)
>>
>> The ID check is áto connect an actual person to the claimed key, and primarily
>> intended for key signing parties and the like, where people *don't* know each
>> other very well. I think there's something like 5 people on the linux-kernel
>> list who actually know me in real life, because I don't travel much and I'm
>> rather in the boonies. áIf I asked anybody *else* who I'd not met before to
>> sign my key, yes, I'd expect them to check my ID, to ensure I wasn't somebody
>> trying to pull a fast one at the keysigning party.
>
> If you just want to be sure that patch number 100 comes from the same
> person as the 99 patches before you could do that without key signing
> (require signed patches and check that all 100 patches were signed by
> áthe same key).
>
> But the semantics of PGP key signing is that you certify that you
> verified that a photo ID of that person matches the name on the key.
>
> No matter if that's needed for kernel purposes.
> And no matter if it's possible to present you a fake ID.
>
> One might discuss what requirements for access to kernel.org machines make
> sense or not, but when you sign a key you have to check a photo ID first.
>
>> > > If so, perhaps the impostor is of more value to the
>> > > project than the Real Rafael.
>> >
>> > Pseudonymous contributions to the kernel are not allowed.
>>
>> See above - whoever Andrew Morton *really* is, his contributions are hardly
>> pseudonymous.
>
> Each time a patch goes through him into the kernel, he certifies that
> his real name is Andrew Morton.
>
> If that would not be his real name, it would make him somewhere between
> completely untrustable and punishable at court.
>
Under which jurisdiction ? Under which law ?

IANAL, but US copyright law does recognize the use of pseudonym for
copyrighted work[0], without requirements to disclose one's legal
name.

 - Arnaud

[0]: http://www.copyright.gov/fls/fl101.html

From: Greg KH < gregkh < at> suse.de>
Subject: Re: kernel.org status: establishing a PGP web of trust
Newsgroups: gmane.linux.kernel
Date: 2011-10-05 20:09:44 GMT (6 days, 9 hours and 4 minutes ago)

On Wed, Oct 05, 2011 at 10:50:24PM +0300, Adrian Bunk wrote:
> [1] I did check what Greg recommended in his email, but I'm not gonna 
>     wipe my complete installation (including wiping /home) unless 
>     someone can point at something indicating that there's a break-in
>     at my machine.

What would you consider "proof" of a break-in on your machine that would
cause you to be willing to reinstall it?

greg k-h

From: Adrian Bunk < bunk < at> stusta.de>
Subject: Re: kernel.org status: establishing a PGP web of trust
Newsgroups: gmane.linux.kernel
Date: 2011-10-05 20:19:04 GMT (6 days, 8 hours and 58 minutes ago)

On Wed, Oct 05, 2011 at 04:00:39PM -0400, Arnaud Lacombe wrote:
> Hi,
> 
> On Tue, Oct 4, 2011 at 6:39 PM, Adrian Bunk < bunk < at> stusta.de> wrote:
>...
> > Each time a patch goes through him into the kernel, he certifies that
> > his real name is Andrew Morton.
> >
> > If that would not be his real name, it would make him somewhere between
> > completely untrustable and punishable at court.
> >
> Under which jurisdiction ? Under which law ?
> 
> IANAL, but US copyright law does recognize the use of pseudonym for
> copyrighted work[0], without requirements to disclose one's legal
> name.

I am not talking about copyright law.

When you add a Signed-off-by: to a patch you have to use your real name
(see Documentation/SubmittingPatches for details).

If violating that would be considered fraud or some other crime in some 
jurisdictions is likely a non-trivial question.

>  - Arnaud
>...

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

From: Adrian Bunk < bunk < at> stusta.de>
Subject: Re: kernel.org status: establishing a PGP web of trust
Newsgroups: gmane.linux.kernel
Date: 2011-10-05 21:25:26 GMT (6 days, 7 hours and 47 minutes ago)

On Wed, Oct 05, 2011 at 01:09:44PM -0700, Greg KH wrote:
> On Wed, Oct 05, 2011 at 10:50:24PM +0300, Adrian Bunk wrote:
> > [1] I did check what Greg recommended in his email, but I'm not gonna 
> >     wipe my complete installation (including wiping /home) unless 
> >     someone can point at something indicating that there's a break-in
> >     at my machine.
> 
> What would you consider "proof" of a break-in on your machine that would
> cause you to be willing to reinstall it?

There is no clear definition.

Had debsums told me that /bin/bash was modified I would have been quite 
convinced.

Externally observed suspicious behavior of my machine I could not explain.

Or many other things - after all I am a person with some basic 
understanding of security and how computers work.

When I am convinced there was a break-in on my machine, I also have to 
assume that all important and not so important accounts I have anywhere 
(from unbelievably many Bugzilla accounts to machines where I have root
access) are also compromised, and have to act accordingly.

It is possible to convince me that there was likely a break-in on my 
machine, but I am not assuming the worst case automatically, and for 
going through that horror of assuming it happened I need to see 
something clearly pointing at my machine.

> greg k-h

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

From: Ted Ts'o < tytso < at> mit.edu>
Subject: Re: kernel.org status: establishing a PGP web of trust
Newsgroups: gmane.linux.kernel
Date: 2011-10-05 23:47:16 GMT (6 days, 5 hours and 25 minutes ago)

On Thu, Oct 06, 2011 at 12:25:26AM +0300, Adrian Bunk wrote:
> 
> Had debsums told me that /bin/bash was modified I would have been quite 
> convinced.
> 

Keep in mind that debsums is trivially easy to circument.  That just
checks against an md5 checksum stored in a text file in
/var/lib/dpkg/info/*.md5sums.  If someone modified /bin/bash it would
easy enough for them to modify the relevant md5sums file.

     	    	     	       	   	    - Ted

From: Adrian Bunk < bunk < at> stusta.de>
Subject: Re: kernel.org status: establishing a PGP web of trust
Newsgroups: gmane.linux.kernel
Date: 2011-10-06 07:16:57 GMT (5 days, 21 hours and 55 minutes ago)

On Wed, Oct 05, 2011 at 07:47:16PM -0400, Ted Ts'o wrote:
> On Thu, Oct 06, 2011 at 12:25:26AM +0300, Adrian Bunk wrote:
> > 
> > Had debsums told me that /bin/bash was modified I would have been quite 
> > convinced.
> 
> Keep in mind that debsums is trivially easy to circument.  That just
> checks against an md5 checksum stored in a text file in
> /var/lib/dpkg/info/*.md5sums.  If someone modified /bin/bash it would
> easy enough for them to modify the relevant md5sums file.

I am not so na´ve to assume there was any way to prove my machine is not 
compromised.

My first assumption is that my machine is not compromised, and also
that the latest e2fsprogs you uploaded to Debian unstable and that
I installed on my machine does not contain a trojan added by someone
who hijacked your machine or your key.

There is no 100% security, only compromises between security and costs.

>      	    	     	       	   	    - Ted

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

From: Alan Cox < alan < at> lxorguk.ukuu.org.uk>
Subject: Re: kernel.org status: establishing a PGP web of trust
Newsgroups: gmane.linux.kernel
Date: 2011-10-06 10:05:53 GMT (5 days, 19 hours and 10 minutes ago)

> When you add a Signed-off-by: to a patch you have to use your real name

Don't confuse real name and legal name. In particular remember

- Not all countries have a notion of legal name
- In many places 'real' and legal names are not particularly tied together
- Both legal and real names change but there is no kernel facility to
  update existing sign offs.
- Some cultures have multiple names for people as the norm
- A lot of signed off entries are transliterated (We don't have many
  signed off in Japanese or Chinese for example but mostly in
  transliterated form)
- The "official" transliterations vary by country, and no specific
  transliteration or indeed specific language is necessarily correct
- In many cases it is possible to change your "real" name to a nickname,
  (and indeed back again). Genuine UK names for official purposes include
  people like Mr Telephone Booth (changed his name for charity and kept
  it), and "Fruitbat".

So can I suggest we leave that quagmire for Google+ to sink into and
flounder and stay well out of it.

A key merely proves that the person who signed the object had access to
the key. A signed key merely proves that someone or indeed something with
access to the relevant key data signed it. Even in person signing proves
surprisingly little.  (Ob amusement - can one of a pair of identical
twins ever become a Debian developer)

It's an administrative convenience.

Signing patches is also only useful for tracing probable origin. It
doesn't prove they are any good. That's one reason I never signed any
security announcement when I was the CERT contact, it forced people to
check the announcement and advice made sense.

Alan