[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

DAM Key and identity requirements

Hash: SHA256

Hello everyone,

world-wide changes due to COVID-19 prompted us to conduct a long-overdue
review of the GPG key requirements for people applying for Debian
Maintainer (DM) and Debian Developer (DD) membership status.

Before asking Debian Keyring Maintainers [KDO] to add a key to a
keyring, and Debian System Administrators [DSA] to create an account for
a person, as Debian Account Managers we need to enforce some technical
requirements on the GPG key, and perform some identity checks on the
person who is applying.

Technical requirements
- ----------------------

Technical requirements are unchanged. For completeness, they are:

 * Minimum key size and acceptable algorithms are actually the domain of
   keyring-maint, and we just check those for them.
   At the time of writing this, a new key must be larger than 1024bits,
   ideally at least 4096bits, and capable of hashes stronger than SHA1.
   Please check [KDO] for more recent information.

 * An encryption subkey must be present, since various parts of our
   infrastructure require it.

 * A signature subkey must be there, since various parts of our
   infrastructure require it. Also, it is needed to build up trust (see

 * At least one User ID (UID) must have a working email address.

Identity requirements
- ---------------------

We are explicitly formalising a new requirement:

   The person controlling the GPG key needs to have an established track
   record of work within/for the project.

This was effectively already checked by Advocates and Application
Managers. It now becomes the primary criteria for granting a key
effective trust within Debian.

We are explicitly formalising also another requirement:

   A natural person may only have one identity in Debian.

This was effectively enforced before by requiring cross-signing keys,
and relying on people doing the cross-signing to have key signing
policies strong enough to reliably connect a key to a person.

Checking an established track record
- ------------------------------------

 * Sign your work

For anyone doing package upload works, or other kinds of work that
require GPG key signatures, it is fairly straightforward to attribute
activity to a key.

For other kinds of work in Debian where a GPG key is not normally used,
like git commits or Merge Requests, DebConf work, and many others, it
might be harder to prove trust in the key.

The general idea is: sign your work occasionally if possible. You can
sign emails or git commits, for example.

 * Key endorsements

In addition to seeing the reputation for a key based on signatures on
Debian work, we introduce key endorsements. The idea is to allow
advocates - and any other Debian Developer - to witness that they have
interacted with a DM/DD applicant using the GPG key that they are using
for the process.

The process, to be implemented on nm.debian.org, and restricted to
Debian Developers, will be something like this:

 1. lookup a person's key
 2. click on a button saying something like "I have interacted with this
    person with this key"
 3. add a short note with details.

That list of endorsements will be public. Each endorsement will be
timestamped and it will age over time, so that, for example,
endorsements from 3 years ago would not be valid for NM now.

We expect people to endorse keys responsibly.

We also expect that any advocate would be able to provide such an
endorsement, as in advocating they are bringing their experience in
interacting with the person first-hand. There may be corner cases in
which an advocate cannot do that, in which case we will be curious for
an explanation.

For a DM or DD process to finish we require at least 2 recent

As soon as key endorsements will be implemented, we will stop requiring
a minimum number of key signatures on nm.debian.org.

Checking that a person has only one identity in Debian
- ------------------------------------------------------

Having a key cross-signed by Debian Developers was previously
effectively a primary requirement. It now becomes one possible
implementation detail.

If your key is alredy cross-signed with at least two Debian Developers,
we still consider it good enough: what worked before continues working.

If your key has no trust path towards the Debian Web of Trust when you
are applying, we will require that you GPG-sign a statement saying that
the identity of the person controlling the key corresponds to what is in
at least one key User ID, and that the person does not already have a DM
or DD account under a different name.

Key endorsements mean that one can join Debian with a key that is not
connected to their legal identity - as long as the key is connected to a
significant history and reputation within Debian. We however still
strongly encourage people to cross-sign keys as much as possible.

Miscellaneous considerations
- ----------------------------

 - We do not intend to interfere in any way with how people conduct key
   signing. Each person has and keeps having their own policy for
   signing keys.
 - This mail effectively moves the entry barrier from "meet 2 random
   people, somewhere" to "you are represented by the work you did and do
   in Debian". We believe that this fits better both the current
   COVID-19 situation, and the general do-ocracy attitude of Debian.
 - These changes only affect the introduction of a new person and their
   associated key into the project. Project members are still advised to
   get cross-signatures on their key to help strengthen our web of trust,
   and to ensure that should their key need replacement they have a
   smooth path to do so, rather than requiring a lengthy process of
   verified activity with a new key before it can be accepted.
 - While in some cases it may be useful to know a person's real identity,
   what we as a project are most concerned with is a good track record of
   doing useful things, that has built up a good reputation. It is more
   beneficial to us to track this aspect of an individual than any
   government assigned ID, as it requires continuous commitment over a
   certain time.

- ---------

[KDO] https://keyring.debian.org/creating-key.html
[DSA] https://dsa.debian.org/

- -- 
Debian Account Managers  Debian Account Managers <da-manager@debian.org>
GPG key rsa4096/57731224A9762EA155AB2A530CA8D15BB24D96F2 2016-06-15 


Attachment: signature.asc
Description: PGP signature

Reply to: