On June 16, 2024 6:23:18 PM UTC, Russ Allbery <r...@debian.org> wrote:
>Scott Kitterman <deb...@kitterman.com> writes:
>
>> I think it's just that I view a signature by a mechanized service as
>> something different that a signature made by an actual person.
>> Technically you are correct, but I think it's fundamentally different.
>> I don't think the computer is responsible for anything. I think it has
>> to trace to a person if you want to talk about responsibility.
>
>Okay, thanks, I think this is the core of our disagreement. Let me sum up
>my side, just to be very clear about what I think the disagreement is.
>
>I don't believe that "a signature made by an actual person" is something
>that exists in the real world. Humans do not sign things. We do not have
>an OpenPGP implementation in our heads. Signatures are always made by
>software, running on a possibly compromised computer, directed by humans.
>Any link between the human and the signature is a point of possible
>attack.
>
>For the existing source package signatures, a simplified sequence looks
>like this:
>
> human --> (1) dpkg-buildpackage --> (2) debsign --> (3) archive
>
>For tag2upload, a simplified sequence looks like:
>
> human --> (1) Git --> (2) tag2upload --> (3) debsign --> (4) archive
>
>In our current system, the source package signature can be traced back to
>(2). In the tag2upload case, the source package signature can be traced
>back to (3) using the existing techniques and, with more work and new
>techniques, all the way back to (1).
>
>In neither case can the source package signature be traced back to a
>human, which is what I am arguing makes them similar. What we're arguing
>about is which system has the better design (both security and otherwise)
>for the pieces prior to (2) in the first case and (3)/(1) in the second
>case.
>
Yes. I think that's the core of the disagreement. In my view, when I type the
passphrase for my key, I'm asserting responsibility for the contents of what
I'm signing. It doesn't mean it is correct or uncompromised, but I am taking
responsibility for it.
Scott K
