Ticket #11 (new enhancement)

Opened 7 years ago

Last modified 6 years ago

Fedora Contributor Keyring

Reported by: till Owned by: somebody
Priority: major Milestone:
Component: Web UI Version:
Keywords: Cc:
Blocked By: Blocking:

Description

In FAS a user only needs to provide the short gpg key ID and other users can query this id. But this is not enough information to verify a gpg key. It would be better to ask for the fingerprint of the key. Afaik is the key id even part of the fingerprint for rsa keys.

Also it would be nice, when there would be an FAS gpg key that signs all keys of all maintainers. For this after the fingerprint was provided, the key should be fetched, the fingerprint compared and the user id that fits to the provided e-mail address be signed with the FAS gpg key. Then this signature should be send encrypted to the recipients gpg key to the provided e-mail address. Now the maintainer should decrypt the signature and send it to a keyserver. Maybe there is also a way to document the FAS username in the signature.

Change History

comment:1 Changed 6 years ago by ricky

  • Summary changed from full gpg key verification to Fedora Contributor Keyring

I believe fetching a key is necessarily done by keyid, but we do verify that the fingerprints match now. The keyid field can take either a keyid or fingerprint now (spaces are automatically stripped out before being passed to gpg).

The next item is having a Fedora contributor keyring (hopefully for a future release). We'll have to look at how to keep such a thing clean.

I don't think we'd gain much from having a FAS key sign contributor keys, since FAS wouldn't be able to do any in-person verification of the user (and since pretty much anybody could get their key signed by such a key).

comment:2 Changed 6 years ago by till

How do you verify whether or not the fingerprint matches if one only provides the key id? Imho there should be either two fields (key id and key fingerprint) and at least the fingerprint needs to be given. For some keys (rsa keys?) the key id is the last x characters of the fingerprint and afaik the fingerprint is then also called long id, therefore it should be possible to fetch the key with the fingerprint. For keys where this does not hold, one needs to provide the key id additionally. But without getting the fingerprint via a secure channel, i.e. the user must enter it via an encrypted link in this case, it cannot be verified.

When the FAS key signs a contributor key, then it is not know, whether the name of the person is correct, but it can be guaranteed, that the e-mail address belongs to the corresponding fas account, which is imho enough that someone needs to know, to securely write an e-mail to another contributor.

Note: See TracTickets for help on using tickets.