[sldev] Idea: Make GPG signatures work

[Phoenix]

My key is available on my wiki user page (obviously not that secure)  
and via subkeys.pgp.net. I have signed many of the developer keys  
here. I will sign keys of people that I meet and that I prove to  
myself match their proposed email address.

A secure and automated method of proving identity and key mappings  
would take a while, so no one is spending much time thinking about  
it. I will think about how to do this, and talk to Zero to see if  
there is a good way to roll that into our current Agent Domain  
scalability work.

Until that time, I am the best gateway (aka bottleneck) for signing  
contributor keys.




On 2007 Mar 30, at 15:36, Dale Glass wrote:
> I see that a few people, LL employees included, are using GPG
> signatures. Unfortunately as things are right now, this isn't very
> useful, as the web of trust is too small for people to find a trust
> path to another. So signatures work as a checksum and little else.
>
>
>
> I propose a way this could be fixed:
>
> 1. LL has to set up a company official key, sign the keys of all
> employees, and publish the public key. That wouldn't be too hard to
> do, and would help already.
>
> 2. LL could also set up a scheme where it's possible to get your key
> automatically signed by a LL one. This could be done from the SL
> website.
>
> Idea of how such a thing would work:
>
> LL's own keys would be available at the website, as well as
> distributed with the viewer. A wide distribution should make it very
> unlikely that the keys can be falsified, and if LL gets them signed
> by a few well known people it could go a long way. I went to a key
> signing party at a spanish Linux meeting, and now I can trace a trust
> path to keys like Richard Stallman's and the one used by the kernel
> archive.
>
> Add a "key signing" page to the profile. The user would be able to
> upload their key there, and have it signed by a LL one. Knowing the
> password for the account would prove their identity.
>
> To ensure that it's not possible to just sign any key at all, a
> requirement for signing would be that the name on the key must match
> the avatar's name.
>
> If there are any additional names on the key, require them to match
> the real name from the profile. For this it should probably only pass
> the check if there's used payment data (assuming such a thing
> confirms that the name specified in the account is accurate).
>
> Different keys could be used to specify how much LL knows about the
> particular person. Keys for "This key belongs to the avatar it
> says", "payment info on file", "payment info used" and "authorized
> contributor who signed the agreement" and "LL employee" come to mind.
>
> Why do this?
>
> The first reason is to make signatures useful. People are signing
> messages now, so obviously there's some interest in it. However,
> there's effectively no security right now. Getting security without
> LL's help would be difficult and require a key signing party, which
> isn't easy at all to organize.
>
> It would make it possible for other people to easily verify the
> identity of somebody else. For instance, this would make it easy to
> recognize whether a patch is made by an authorized contributor --
> simply require the patch to be signed, check that the signature is
> correct, and that there's an "authorized contributor" signature on
> the submitter's key.
>
> This could also be used as a base for plugin signing. If an user
> decides to stick to using only signed plugins, it would be quite
> unlikely that they'd end up with something nasty, such as a password
> or L$ stealing plugin, and if they did then that'd make it trivially
> possible to trace it back to the source.
>
> As an additional benefit, it would make it possible to have sites in
> the style of addons.mozilla.org, which mirror plugins, without
> security issues. If the author signs it, then mirroring of their
> plugin on various websites can be done safely.
>
>
> How does this sound?
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
Url : http://lists.secondlife.com/pipermail/sldev/attachments/20070330/5ed5348e/PGP-0001.pgp