[Nix-dev] Announcing: NixOS Security Team, and Request for Comments

zimbatm zimbatm at zimbatm.com
Fri Jan 6 20:01:59 CET 2017 

In relation to GPG key signing, I think it's safe to trust online
identities it they are established trough enough channels. That's basically
what keybase.io is doing, they are a point of contact but the proof of
identity is distributed on multiple services. Personal verification is just
another target.

Someone who would want to subvert that process would have to Impersonate
all these services through MITM and also maintain that in place if the user
is moving between connections (and somehow not trigger chrome's certificate
monitoring).
As far as I know only state actors might be able to pull that off. But they
also have access to zeroday to hack and extract the private key directly
which seem more practical to me.

Anyways, it's good that you want to be careful, that's just my thinking.

On Fri, 6 Jan 2017, 02:13 Graham Christensen, <graham at grahamc.com> wrote:

>
> (cross-posted to nix-dev for discussion.)
>
> Hello Nixians,
>
> This morning the NixOS Security Team was formalized in a PR to the
> homepage: https://github.com/NixOS/nixos-homepage/pull/123.
>
> This is now public at https://nixos.org/nixos/security.html.
>
> This information is currently listed as follows:
>
>
>     Graham Christensen graham at grahamc.com
>     GPG Key: 0xFE918C3A98C1030F
>     GPG Fingerprint: BA94 FDF1 1DA4 0521 2864 C121 FE91 8C3A 98C1 030F
>
>     Franz Pletz fpletz at fnordicwalking.de
>     GPG Key: 0x846FDED7792617B4
>     GPG Fingerprint: 8A39 615D CE78 AF08 2E23 F303 846F DED7 7926 17B4
>
>     Domen Kožar domen at dev.si
>     GPG Key: 0xC2FFBCAFD2C24246
>     GPG Fingerprint: E96C 15A0 8D17 CE3B 17B0 C7AB C2FF BCAF D2C2 4246
>
>     Rob Vermaas rob.vermaas at gmail.com
>     GPG Key: 0xE114A5F264A8AE8E
>     GPG Fingerprint: 96BF 75A5 3DEE 1F21 5F0C 979C E114 A5F2 64A8 AE8E
>
>
> At this time, none of us have signed each other's keys. There is some
> discussion about this in the pull request (linked above) but basically
> it boils down to this:
>
> We do each trust the work and intentions of each other, but this
> doesn't necessarily translate in to confirmed identity.
>
> Signing keys has a lot of meaning around verifying identity. Until
> each of us are able to be in the same room and check identification, we
> can't very well assert each other's identities.
>
> This is an effort to preserve the intentions of the web of trust... and
> this is where we get to the "request for comments" on how the Nix
> community would like for us to proceed on this front.
>
> If you have any opinions or feedback, please feel free to reply to the
> nix-dev email list, and _not_ the GitHub issue so as to keep further
> conversation on this list.
>
>
> Thank you,
> Graham Christensen
>
> --
> You received this message because you are subscribed to the Google Groups
> "nix-security-announce" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to nix-security-announce+unsubscribe at googlegroups.com.
> To post to this group, send email to
> nix-security-announce at googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/nix-security-announce/87bmvluead.fsf%40NdNdNx.supersecrets.gsc.io
> .
> For more options, visit https://groups.google.com/d/optout.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.science.uu.nl/pipermail/nix-dev/attachments/20170106/d24fc96c/attachment.html>

More information about the nix-dev mailing list