Re: [Monotone-devel] WARNING: ~/.monotone/keys CONSIDERED HARMFUL

[Daniel Carrera]

Markus Wanner wrote:
> Daniel Carrera wrote:
> > My position is that what the PGP web of trust provides identification
> > but not authorization and so it does not help Monotone.
>
> According to your own definition below, PGP only provides
> authentication, not identification.

Hmm... The PGP web of trust verifies that the key you are looking at 
belongs to the guy called Daniel Carrera. That is identification and 
authentication: 1) Who are you? 2) Prove it.


I any case, I hope that you got the general gist of my meaning. PGP 
would not make it easier to figure out if Daniel should be allowed to 
send patches to the server.


> To authorize someone to do something, you certainly need authentication.
> Otherwise, how do you know who you authorize to do something?

PGP tells you that a certain key really belongs to the guy called Daniel 
Carrera. But honestly, do you care? What you really want to know is 
whether the owner of his key (whoever he might be) is allowed into the 
server. PGP doesn't provide that, and it doesn't make it easier.

PGP and Monotone can both verify that a patch is signed by a given key. 
And with either system, you have to upload the key to the server to 
authorize the owner.

As you can see, using PGP doesn't buy you anything. Sure, you could 
replace Monotone keys with PGP keys. Keys are keys and either could be 
uploaded to the server to server for authentication. But the PGP method 
is more expensive and doesn't get you any features that you need that 
Monotone keys don't already provide.

On the topic of "web of trust": PGP's web of trust is a method to verify 
the identity of a key owner. Brian can verify that I am the owner of the 
key xyz (because we met in person) and you trust Brian, so you also 
trust that I am the owner of the key xyz. But this doesn't tell you 
whether you should trust me to commit code. PGP's web of trust does not 
include a field for "Daniel is a good coder". It only verifies my 
identity. You want to share ACLs between servers. PGP would not give you 
that. PGP's web of trust has nothing to do with ACLs. Projects that use 
PGP (like Debian) still do access control "manually".


> Using GPG from monotone would allow to authenticate someone by his GPG
> key instead of by his monotone key.

And what is the point of doing that?


> And GPG keys are much more wide spread than monotone keys, which
> might be a reason to at least support GPG.

I don't see how the spread of GPG matters. You are not going to give 
someone commit access or trust their keys because they already have GPG. 
You have to assign access control "manually" one way or the other. The 
one feature that PGP provides on top of Monotone is the one that you 
don't care about.


> I'd state that PGP provides authentication - pretty independently of the
> name and email. As an example, I've just recently changed my name due to
> marriage, but the PGP key and my identity remained the same. I simply
> added my new name, now having "Markus Schiltknecht" and "Markus Wanner"
> as names for my identity.

That's identification. The ACL should not care whether your name is 
Schiltknecht or Wanner. If you buy a bus ticket, your name is not on the 
ticket but it still authorizes you to use the bus. And there is a 
machine or a person inside the bus that authenticates the ticket 
(verifies that it is valid). These are the things you want in Monotone. 
You want to know whether key xyz is allowed to commit patches or not.


> > should be allowed into the server. For that purpose, PGP doesn't appear
> > to provide anything that Monotone's light-weight alternative doesn't
> > already provide.
>
> I absolutely agree to that from a technical point of view.

You do? Then what are we arguing about?


> But it
> requires people to create monotone keypairs, whereas by supporting GPG,
> they could use their existing GPG keypairs.

Ok. I think we have isolated the crux of the argument. We agree that 
from a technically point of view GPG and Monotone keys both provide the 
authentication needed (verify that a patch really belongs to a certain 
key). You say that Monotone should use GPG because that way people can 
reuse their existing GPG keys. Not because GPG has a feature that we 
don't already have besides being popular.

Are we on the same wavelength?

Daniel.