Re: Debian OpenPGP audit log

[Jonathan Nieder <jrnieder@gmail.com>]

+debian-project, debian-private -> bcc
Daniel Kahn Gillmor wrote:
> On Tue 2017-10-10 15:22:06 +0200, Enrico Zini wrote:

>> To me it would be already a big step forward to make Debian workflows
>> auditable, so anyone can have a look at what other people are doing.
>>
>> Contributions are generally all in the open, but it's pretty hard to
>> collate them all into a single audit log that one can look at.
>>
>> I would find such a thing useful also to audit myself, to see if things
>> are being done in my name that I am now aware of.
>
> I would also like this, for my own keys, and for the keys that i really
> depend on (like the archive signing key, for example).
>
> A likely approach would be similar to the "certificate transparency"
> model, where a signature from a public key isn't accepted unless/until
> it has been logged publicly someplace.  This creates an incentive to
> log, and the log itself provides the transparency needed to make it
> *possible* to audit.
>
> If anyone is interested in working on this, i'd be happy to talk more
> about it further -- there are several designs in the "binary
> transparency" space that take this approach, and it would be great if
> debian could lead the way.
>
> sadly, i lack the time to implement this myself right now.
>
>> (all my reply can be quoted on a public list)
>
> same with mine.
>
>      --dkg

Thanks,
Jonathan