Linux ID: Linux explores new way of authenticating developers and their code
10 points by laktak
10 points by laktak
I'm excited about a web of trust with trust levels and more ways to establish trust relations than in-person meetings.
I always felt that government ID checking at key signing parties is a bit of a LARP. Most of those parties don't have anyone trained as a police or immigration officer and able to tell if an ID is genuine. I've never seen anyone attempt to check watermarks, holograms, and other protection measures. In fact, I got some odd looks when I did that. I'm pretty sure anyone dedicated enough can get their keys signed even with a moderately well-made fake ID.
Well, we've already seen all in-person meetings become impossible during the COVID-19 pandemic, and for a lot of people travel, especially long-distance international travel is simply not an option for a lot of reasons.
But I also hope that support for pseudonymous identities will be better than in a PGP-based web of trust, not worse.
I wouldn't want to show my real id to anyone.
I can show you that I can log into lobsters or some other website, but my government's id has little too do with my online life.
I always felt that government ID checking at key signing parties is a bit of a LARP. Most of those parties don't have anyone trained as a police or immigration officer and able to tell if an ID is genuine. I've never seen anyone attempt to check watermarks, holograms, and other protection measures. In fact, I got some odd looks when I did that. I'm pretty sure anyone dedicated enough can get their keys signed even with a moderately well-made fake ID.
I don't recall if this was a GPG key signing party at CCC or FOSDEM one year. But I was in the line meeting people, and showed my passport with the gpg keyid. One guy went "that is a fake passport. It shouldn't have that number". While pointing at the row of numbers at the bottom of my passport.
So he refused to sign my key!
And I swear the passport was real.
I always felt that government ID checking at key signing parties is a bit of a LARP.
It’s complete bullshit. There’s no connection between government ID and the email address or even the name on the PGP key. It does nothing to verify the actually important facts: that the person showing up with a public key is in control of the private key and the email addresses.
There’s some value in the social warm fuzzies of a mutual in-person introduction, but big key-signing parties usually skip any meaningful authentication.
This was one of the things I liked about SILC. It made zero promises about the link between name and identity, it guaranteed a way that you could check that a person you were talking to today was the same as the person you were talking to yesterday.
I can see though, that this is insufficient in an environment where nation-state adversaries are trying to mount supply-chain attacks via F/OSS projects.
Secure Internet Live Conferencing protocol for those like myself who were unfamiliar with it.
Does not match my experience. The 2 keysigning parties I attended at Linuxtag and at FOSDEM were pretty thorough. (Many years ago though)
Maybe it helps if we were all Europeans with card IDs that are somehow similar and you could nearly always find someone with a 2nd ID from the same country, for small differences between the countries.
thus anonymity is step by step culled out of open source, at least out of projects with contributors. this is a hard sell. what once was a field to experiment new ideas now turns into a place where contributions can and will be weighted in professional contexts. it sounds benign, but employers not only look at quality but also at alignment with development methods, tools and with management methods. we'll have to wait and see where this change leads. thinking this to the end: will we see linux daily scrums on irc?
Either my brain didn't fully follow the details, or the details weren't actually clear enough, but I figure a system like this could allow pseudonymity pretty easily? Whether a given project (e.g. the kernel) chooses to enforce a policy of requiring real-world IDs at a given stage of involvement is likely a political not technical decision? The compromise might be for example requiring a longer history of trustworthy collaboration in the absence of that ID.
The counter to your worry is that an automated system to for evaluating a trust score based on a large stack of cryptographic assertions of trustworthy collaboration could form the basis of an official policy of managing pseudonymity. Ultimately the decision to ban particular collaborators is a management decision, and people might be more likely to reach for the other simplistic "real IDs only" policy in the absence of good tooling to do something more sophisticated?
Just picking up a thread I see in common between @srtcd424 and @carlomonte's comments: "management".
Especially in light of the very recent discussions around various platforms and migration, it's important to note just how quickly - historically - access for all has been been permanently stripped away under the guise of perceived issues of 'management,' working hand-in-hand with the goal of 'professionalism'.
Beyond Linux scrums on IRC or better automated systems for validating trust, I'm more concerned about who is left managing the issues, and how interested (or not) they are in continuing to allow contributors - or contributions - from those not perceived as "professional," enough or "trusted," enough or "well-connected," enough.