Re: Debian OpenPGP audit log
- To: email@example.com
- Cc: Daniel Kahn Gillmor <firstname.lastname@example.org>, Enrico Zini <email@example.com>, Roberto C. Sánchez <firstname.lastname@example.org>
- Subject: Re: Debian OpenPGP audit log
- From: Jonathan Nieder <email@example.com>
- Date: Tue, 10 Oct 2017 11:51:02 -0700
- Message-id: <[🔎] 20171010185102.GV19555@aiede.mtv.corp.google.com>
- In-reply-to: <firstname.lastname@example.org>
- References: <A2A20EC3B8560D408356CAC2FC148E53BB448C67@SUN-DAG3.synchrotron-soleil.fr> <10860438.zDTZX8SP8J@xev> <email@example.com> <firstname.lastname@example.org> <email@example.com> <firstname.lastname@example.org> <email@example.com> <20171010130222.GF4385@connexer.com> <firstname.lastname@example.org> <email@example.com>
+debian-project, debian-private -> bcc
Daniel Kahn Gillmor wrote:
> On Tue 2017-10-10 15:22:06 +0200, Enrico Zini wrote:
>> To me it would be already a big step forward to make Debian workflows
>> auditable, so anyone can have a look at what other people are doing.
>> Contributions are generally all in the open, but it's pretty hard to
>> collate them all into a single audit log that one can look at.
>> I would find such a thing useful also to audit myself, to see if things
>> are being done in my name that I am now aware of.
> I would also like this, for my own keys, and for the keys that i really
> depend on (like the archive signing key, for example).
> A likely approach would be similar to the "certificate transparency"
> model, where a signature from a public key isn't accepted unless/until
> it has been logged publicly someplace. This creates an incentive to
> log, and the log itself provides the transparency needed to make it
> *possible* to audit.
> If anyone is interested in working on this, i'd be happy to talk more
> about it further -- there are several designs in the "binary
> transparency" space that take this approach, and it would be great if
> debian could lead the way.
> sadly, i lack the time to implement this myself right now.
>> (all my reply can be quoted on a public list)
> same with mine.