monotone-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Monotone-devel] WARNING: ~/.monotone/keys CONSIDERED HARMFUL

From: Daniel Carrera
Subject: Re: [Monotone-devel] WARNING: ~/.monotone/keys CONSIDERED HARMFUL
Date: Tue, 21 Oct 2008 13:18:22 +0200
User-agent: Thunderbird 2.0.0.17 (Macintosh/20080914) 
Markus Wanner wrote:

The last point is interesting, and it seems sensible to me.


Hm.. I don't see how running our own PKI should be different. Our
web-of-trust is just very simple (and maybe doesn't deserve the term
"web"): every server allows certain keys commit access to certain
branches, only read access to other keys.
My position is that what the PGP web of trust provides identification but not authorization and so it does not help Monotone. If Brian and I have met in person and he signed my PGP key, and you trust Brian, you can be confident that that key really belongs to Daniel. But what does that buy you? It doesn't tell you whether Daniel should be allowed into the server. You still need to decide, independently, whether Daniel should be allowed in the server and if so, upload Daniel's key. 

Notice the following:
1) PGP's web of trust did not reduce or alter the work needed to authorize Daniel.
2) PGP's web of trust provides identification, but what you are looking for is authorization. You don't really care if my name is Daniel or not. What you want to know is whether the guy who owns this key (the one who claims to be called Daniel) should be allowed into the server. 




Considering that we may be sharing these "policies" between servers
manually, isn't that a sort of a web of trust? If you don't call it that
now, you probably will with policy branches.
It isn't a web of trust. But as you imply, what we call it doesn't matter. Just call it policy or whatever. The real issue is whether there is any benefit to using PGP from inside Monotone. I opine that there isn't. The things Monotone needs (authorization), PGP does not facilitate. The things that PGP provides that Monotone lacks (web of trust, identification), are not things Monotone needs. Just my opinion though. 


Without knowing a name, yes. But is the name really the answer to the
question "who are you"? (This is getting philosophical...)

I'd argue that to authenticate *someone* to do something, you always
need to identify the *someone* first. That doesn't necessarily mean
getting his name. You can easily authenticate by confirming that it's
the same person who has written revision 276264b0... for example.
Trying to not start an argument about the definition of "identification", notice that what PGP provides which Monotone doesn't is assurance that the name and email actually match the key. This is the thing which (whatever we call it) we have agreed Monotone does not care about. Monotone only cares about whether the guy who owns this key should be allowed into the server. For that purpose, PGP doesn't appear to provide anything that Monotone's light-weight alternative doesn't already provide.
Now, on "identification": I think the following might be a relevant example: Imagine an ID card that has a picture of you but no name. You and I might disagree on whether we would call this identification. But it might clear up confusion if I say that this is an example of what Schneier means by "no identification". In Schneier's lingo, this ID card may provide authentication but not identification. In my recent emails I have tried to follow Schneier's lingo. 


Daniel.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]