diff options
author | Konstantin Ryabitsev <konstantin@linuxfoundation.org> | 2022-11-16 10:21:37 -0500 |
---|---|---|
committer | Konstantin Ryabitsev <konstantin@linuxfoundation.org> | 2022-11-16 10:21:37 -0500 |
commit | 6444b5f279221f258de823b865cfaf16ca4e41f0 (patch) | |
tree | b79cfc7f1b1bb35798ce614809b02ce433c1cab8 | |
parent | f204a5283c8426e62c1dcf11147777127dd3d93e (diff) | |
download | korg-6444b5f279221f258de823b865cfaf16ca4e41f0.tar.gz |
Provide recommended video conference procedure for keysigning
A very frequent request is for a recommended procedure to follow when
using online video conferencing for keysigning.
Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
-rw-r--r-- | source/accounts.rst | 92 |
1 files changed, 74 insertions, 18 deletions
diff --git a/source/accounts.rst b/source/accounts.rst index ab499ca..81e87d1 100644 --- a/source/accounts.rst +++ b/source/accounts.rst @@ -21,10 +21,12 @@ receive a response back within a few days. If you are listed in `MAINTAINERS`_ and have enough signatures on your PGP key to be in the web of trust, your account will be issued without delay. -.. important:: If we find an A (authentication) subkey on your PGP key, - we will assume you will want to use that for your ssh access. If that - is not the case, please mention it in the request and you'll be - issued a new ssh private key instead. +.. important:: + + If we find an A (authentication) subkey on your PGP key, we will + assume you will want to use that for your ssh access. If that is not + the case, please mention it in the request and you'll be issued a new + ssh private key instead. .. _`MAINTAINERS`: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/MAINTAINERS @@ -38,9 +40,11 @@ using the following command:: PGP Web of Trust ---------------- -.. warning:: With extremely rare exceptions, accounts will not be issued - unless the there are enough signatures on the PGP key to satisfy the - web of trust. +.. warning:: + + With extremely rare exceptions, accounts will not be issued unless + the there are enough signatures on the PGP key to satisfy the web of + trust. We use the PGP web of trust to help ensure that only trusted kernel developers are able to get an account on kernel.org. Before you send the @@ -48,14 +52,66 @@ email, make sure that your PGP key is signed by *at least two other people who already have an active kernel.org account*. PGP signing events at conferences are usually a good place to start, or -you can find kernel developers who live in your area. You can also check -the :doc:`ksmap` for kernel developers in your area. If meeting in -physical space is not an option for you due to travelling or quarantine -restrictions, you may prefer to arrange a video conference call for the -same purpose. - -.. important:: Remember, the goal is not to verify someone's - government-issued credentials, but to build a web of trusted - contributors. When you are signing someone's key, you are effectively - stating: "I have worked with this person and I vouch for their - identity by signing their key with my own." +you can find kernel developers who live in your area. If meeting in +physical space is not an option for you, read below for the recommended +video conferencing procedure. + +.. important:: + + Remember, the goal is not to verify someone's government-issued + credentials, but to build a web of trusted contributors. When you are + signing someone's key, you are effectively stating: "I have worked + with this person and I vouch for their identity by signing their key + with my own." + +Keysigning via video conferencing +--------------------------------- +If you are unable to attend a physical keysigning, it is acceptable to +have your key signed via video conferencing. You will need at least two +people who are: + +- members of the kernel.org keyring (have active kernel.org accounts) +- EITHER have met you personally previously (e.g. via a conference) +- OR have worked with you for some period of time + +Procedure for the signee +~~~~~~~~~~~~~~~~~~~~~~~~ + +1. Arrange a video conference using a platform acceptable for everyone + involved. +2. Export and send your public key to all members who will be attending + the call ahead of its scheduled time (using ``gpg --export -a -o + unsigned.asc [your@address]``). +3. During the conference, establish your identity with the signers. +4. When everyone is ready, read your public key fingerprint out loud + (you can display it using ``gpg --fingerprint [your@address]``). +5. Make sure everyone has verified the fingerprint. +6. Finish the call. +7. Wait for the signed key to be send to you. +8. Import the signatures into your keyring using ``gpg --import + export.asc``. +9. Once you have received all the signatures, export the public key + using ``gpg --export -a -o signed.asc [your@address]``. +10. Submit the exported key with your account request. + +Procedure for the signers +~~~~~~~~~~~~~~~~~~~~~~~~~ + +1. Import the public key sent by the signee prior to the conference into + your keyring (``gpg --import unsigned.asc``). +2. Attend the video conference call arranged by the signee. +3. During the call, establish the identity of the signee either using + their appearance or by chatting about your prior shared experiences + working on the Linux kernel (the patches they sent, the discussions + you had together, etc). Please insist on the webcam use and be wary + that being in the Linux kernel keyring is sufficiently interesting to + attackers to attempt "deepfakes" or other video trickery. +4. If you are sufficiently assured that the person on the call is who + they say they are, confirm the public key they sent to you by asking + the signee to read it out loud (you can display it using ``gpg + --fingerprint [their@address]``). +5. If the fingerprint matches, finish the call. +6. Sign the key (e.g. using ``gpg --quick-sign-key [their-key-id]``). +7. Export the signed key using ``gpg --export -a -o signed.asc + their@address``. +8. Send the signed key back to the signee via email. |