Re: Debian OpenPGP audit log
- To: debian-project@lists.debian.org
- Cc: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Enrico Zini <enrico@enricozini.org>, Roberto C. Sánchez <roberto@debian.org>
- Subject: Re: Debian OpenPGP audit log
- From: Jonathan Nieder <jrnieder@gmail.com>
- Date: Tue, 10 Oct 2017 11:51:02 -0700
- Message-id: <[🔎] 20171010185102.GV19555@aiede.mtv.corp.google.com>
- In-reply-to: <87h8v6j50g.fsf@fifthhorseman.net>
- References: <A2A20EC3B8560D408356CAC2FC148E53BB448C67@SUN-DAG3.synchrotron-soleil.fr> <10860438.zDTZX8SP8J@xev> <20171009124455.hyclgbm7q5m4gj7e@layer-acht.org> <20171009131121.ujbis2oz5r7lgyxc@liw.fi> <20171009161302.slvp77jxzu5227x2@angband.pl> <87efqc9k7w.fsf@hope.eyrie.org> <20171009205658.m3lqumtzjpx334ue@angband.pl> <20171010130222.GF4385@connexer.com> <20171010132206.3knim3bo5socuu7z@enricozini.org> <87h8v6j50g.fsf@fifthhorseman.net>
+debian-project, debian-private -> bcc
Daniel Kahn Gillmor wrote:
> On Tue 2017-10-10 15:22:06 +0200, Enrico Zini wrote:
>> To me it would be already a big step forward to make Debian workflows
>> auditable, so anyone can have a look at what other people are doing.
>>
>> Contributions are generally all in the open, but it's pretty hard to
>> collate them all into a single audit log that one can look at.
>>
>> I would find such a thing useful also to audit myself, to see if things
>> are being done in my name that I am now aware of.
>
> I would also like this, for my own keys, and for the keys that i really
> depend on (like the archive signing key, for example).
>
> A likely approach would be similar to the "certificate transparency"
> model, where a signature from a public key isn't accepted unless/until
> it has been logged publicly someplace. This creates an incentive to
> log, and the log itself provides the transparency needed to make it
> *possible* to audit.
>
> If anyone is interested in working on this, i'd be happy to talk more
> about it further -- there are several designs in the "binary
> transparency" space that take this approach, and it would be great if
> debian could lead the way.
>
> sadly, i lack the time to implement this myself right now.
>
>> (all my reply can be quoted on a public list)
>
> same with mine.
>
> --dkg
Thanks,
Jonathan
Reply to: