[sldev] Idea: Make GPG signatures work

[Dale Glass]

I see that a few people, LL employees included, are using GPG 
signatures. Unfortunately as things are right now, this isn't very 
useful, as the web of trust is too small for people to find a trust 
path to another. So signatures work as a checksum and little else.



I propose a way this could be fixed:

1. LL has to set up a company official key, sign the keys of all 
employees, and publish the public key. That wouldn't be too hard to 
do, and would help already.

2. LL could also set up a scheme where it's possible to get your key 
automatically signed by a LL one. This could be done from the SL 
website. 

Idea of how such a thing would work:

LL's own keys would be available at the website, as well as 
distributed with the viewer. A wide distribution should make it very 
unlikely that the keys can be falsified, and if LL gets them signed 
by a few well known people it could go a long way. I went to a key 
signing party at a spanish Linux meeting, and now I can trace a trust 
path to keys like Richard Stallman's and the one used by the kernel 
archive. 

Add a "key signing" page to the profile. The user would be able to 
upload their key there, and have it signed by a LL one. Knowing the 
password for the account would prove their identity.

To ensure that it's not possible to just sign any key at all, a 
requirement for signing would be that the name on the key must match 
the avatar's name.

If there are any additional names on the key, require them to match 
the real name from the profile. For this it should probably only pass 
the check if there's used payment data (assuming such a thing 
confirms that the name specified in the account is accurate).

Different keys could be used to specify how much LL knows about the 
particular person. Keys for "This key belongs to the avatar it 
says", "payment info on file", "payment info used" and "authorized 
contributor who signed the agreement" and "LL employee" come to mind.

Why do this?

The first reason is to make signatures useful. People are signing 
messages now, so obviously there's some interest in it. However, 
there's effectively no security right now. Getting security without 
LL's help would be difficult and require a key signing party, which 
isn't easy at all to organize.

It would make it possible for other people to easily verify the 
identity of somebody else. For instance, this would make it easy to 
recognize whether a patch is made by an authorized contributor -- 
simply require the patch to be signed, check that the signature is 
correct, and that there's an "authorized contributor" signature on 
the submitter's key.

This could also be used as a base for plugin signing. If an user 
decides to stick to using only signed plugins, it would be quite 
unlikely that they'd end up with something nasty, such as a password 
or L$ stealing plugin, and if they did then that'd make it trivially 
possible to trace it back to the source.

As an additional benefit, it would make it possible to have sites in 
the style of addons.mozilla.org, which mirror plugins, without 
security issues. If the author signs it, then mirroring of their 
plugin on various websites can be done safely.


How does this sound?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.secondlife.com/pipermail/sldev/attachments/20070331/6a3d9363/attachment.pgp