Insights on the large-scale deployment of a curated Web-of-Trust: the Debian project’s cryptographic keyring

Journal of Internet Services and Applications - Tập 9 - Trang 1-12 - 2018
Gunnar Wolf1, Víctor González Quiroga2
1Instituto de Investigaciones Económicas, Universidad Nacional Autónoma de México, Mexico City, Mexico
2Facultad de Ciencias, Universidad Nacional Autónoma de México, Mexico City, Mexico

Tóm tắt

The Debian project is one of the largest free software undertakings worldwide. It is geographically distributed, and participation in the project is done on a voluntary basis, without a single formal employee or directly funded person. As we will explain, due to the nature of the project, its authentication needs are very strict - User/password schemes are way surpassed, and centralized trust management schemes such as PKI are not compatible with its distributed and flat organization; fully decentralized schemes such as the OpenPGP Web of Trust are insufficient by themselves. The Debian project has solved this need by using what we termed a “curated Web of Trust”. We will explain some lessons learned from a massive key migration process that was triggered in 2014. We will present the social insight we have found from examining the relationships expressed as signatures in this curated Web of Trust, as well as a statistical study and forecast on aging, refreshment and survival of project participants stemming from an analysis on their key’s activity within the keyring.

Tài liệu tham khảo

Fernández-Sanguinoa J, et al. A Brief History of Debian:1997–2015. https://www.debian.org/doc/manuals/project-history/. Accessed 22 Dec 2016. Monga M. From Bazaar to Kibbutz: How freedom deals with coherence in the Debian project In: Feller J, et al, editors. Collaboration, Conflict and Control: The 4th Workshop on Open Source Software Engeneering. Edinburgh: Association for Computing Machinery (ACM): 2004. p. 71–5. https://doi.org/10.1049/ic:20040268. http://homes.di.unimi.it/monga/lib/oss-icse04.pdf. SPI, et al. Debian GNU/kFreeBSD:1997–2016. https://www.debian.org/ports/kfreebsd-gnu/. Accessed 22 Dec 2016. SPI, et al. Debian GNU/HURD:1997–2016. https://www.debian.org/ports/kfreebsdgnu/. Accessed 22 Dec 2016. Robles G, Gonzalez-Barahona JM, Michlmayr M. Evolution of volunteer participation in libre software projects: evidence from Debian. In: Proceedings of the 1st, International Conference on Open Source Systems.2005. p. 100–7. Robles G, Dueñas S, Gonzalez-Barahona JM, et al. In: Feller J, (ed).Corporate Involvement of Libre Software: Study of Presence in Debian Code over Time. Boston: Springer US; 2007, pp. 121–32. https://doi.org/10.1007/978-0-387-72486-7_10. http://dx.doi.org/10.1007/978-0-387-72486-7_10. Mateos-Garcia J, Steinmueller WE. The institutions of open source software: Examining the Debian community. In: Information Economics and Policy 20.4. Empirical Issues in Open Source Software: 2008. p. 333–44. https://doi.org/10.1016/j.infoecopol.2008.06.001. http://www.sciencedirect.com/science/article/pii/S0167624508000346. Coleman EG. Coding freedom: The ethics and aesthetics of hacking.2013. http://gabriellacoleman.org/Coleman-Coding-Freedom.pdf. (Visited on 01/13/2016). Wolf G, Gallegos-García G. Strengthening a CuratedWeb of Trust in a Geographically Distributed Project.2017. http://www.tandfonline.com/doi/full/10.1080/01611194.2016.1238421. Smart N. ECRYPT II Yearly Report on Algorithms and Keysizes (2011-2012). Tech. rep. 7th Framework Programme.European Commission; 2012. http://www.ecrypt.eu.org/ecrypt2/documents/D.SPA.20.pdf. Accessed 14 Jan 2016. Ulrich A, et al.Investigating the openPGP Web of Trust. In: Proceedings of the 16th European Conference on Research in Computer Security. ESORICS’11. Leuven: Springer- Verlag: 2011. p. 489–507. ISBN: 78-3-642-23821-5. http://dl.acm.org/citation.cfm?id=2041225.2041260. Zimmerman PR. Why I Wrote PGP. 1991. https://www.philzimmermann.com/EN/essays/WhyIWrotePGP.html. Cederlöf J. Dissecting the leaf of trust. 2004. http://www.lysator.liu.se/jc/wotsap/leafoftrust.html. Diffie WE, Hellman ME. New directions in cryptography. Inf Theory IEEE Trans. 1976; 22(6):644–54. PUB FIPS. 186. digital signature standard (DSS). In: National Institute of Standards and Technology (NIST) (1994–2013). http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf. Accessed 02 Feb 2016. Rivest RL, Shamir A, Adleman L. A method for obtaining digital signatures and public-key cryptosystems. Commun ACM. 1978; 21(2):120–6. ElGamal T. A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms.1985. http://link.springer.com/chapter/10.1007/3-540-39568-7_2. Accessed 02 Feb 2016. Ferraro F, O’Mahony S. Managing the Boundaries of an “Open” Project In: Padgett JF, Powell WW, editors. The Emergence of Organizations and Markets. Chap. 18. Princeton University Press: 2012. p. 545–65. http://www.umass.edu/digitalcenter/events/pdfs/OMahony_open_project.pdf. Accessed 13 Jan 2016. Bichsel P, et al. Security and trust through electronic social network-based interactions. In: Computational Science and Engineering, 2009. CSE’09. International Conference on. Vol. 4. IEEE: 2009. p. 1002–7. Debian Project. Teams/MIA:2007–2014. https://wiki.debian.org/Teams/MIA. Accessed 07 Mar 2016. Huber M, Debian MIA. Raiders of the “Lost” Maintainer. 2007. http://www.linux-magazine.com/Online/News/Debian-MIA-Raiders-of-the-Lost-Maintainer. Zini E. Bits from the New Member Process. 2017. https://lists.debian.org/debian-devel-announce/2017/08/msg00009.html. Accessed 12 Sept 2017. Aparicio FF. TIC y sociedad: salvando la brecha digital. El caso de Extremadura: los nuevos centros del conocimiento y el software libre. In: Revista Latinoamericana de, Tecnología Educativa-RELATEC 3.1.2007. p. 29–44. http://relatec.unex.es/article/view/21. DebConf organization. DebConf9 final report. 2009. https://media.debconf.org/dc9/report/. Srivastava M. Please revoke your signatures from Martin Krafft’s keys. 2006. http://lists.debconf.org/lurker/message/20060525.073637.78ce0660.en.html. Krafft M. On the point of keysigning. 2008. http://madduck.net/blog/2008.01.28:on-the-point-of-keysigning/. Synchronizing Key Servers. SKS OpenPGP Keyserver statistics; 2016. http://pool.sks-keyservers.net:11371/pks/lookup?op=stats. Accessed 31 Dec 2016. Kamada T, Kawai S. An algorithm for drawing general undirected graphs. Inf Process Lett. 1989; 31(1):7–15. Tutz G, Schmid M. Modeling discrete time-to-event data. In: Springer Series Stat: 2016. https://doi.org/10.1007/978-3-319-28158--2. Klein JP, Moeschberger ML. Survival analysis: statistical methods for censored and truncated data. New York: Springer-Verlag; 2003. https://doi.org/10.1007/b97377. Kaplan EL, Meier P. Nonparametric estimation from incomplete observations. J Am Stat Assoc. 1958; 53(282):457–81. Aalen O. Nonparametric inference for a family of counting processes. Ann Stat. 1978; 6(4):701–26. Muller H-G, Wang J-L. Hazard rate estimation under random censoring with varying kernels and bandwidths. In: Biometrics.1994. p. 61–76. https://doi.org/10.2307/2533197. Prentice RL. A log gamma model and its maximum likelihood estimation. Biometrika. 1974; 61(3):539–44. Akaike H. A new look at the statistical model identification. IEEE Trans Automatic Control. 1974; 19(6):716–23. https://doi.org/10.1109/TAC.1974.1100705. Prentice RL. Discrimination among some parametric models. Biometrika. 1975; 62(3):607–14. Cox DR. Regression models and life-tables. J R Stat Soc Ser B Methodol. 1972;187–220. Schoenfeld DA. The asymptotic properties of nonparametric tests for comparing survival distributions. Biometrika. 1981; 68:316–9. Grambsch PM, Therneau TM. Proportional hazard tests and diagnostics based on weighted residuals. Biometrika. 1994; 81(3):515–26. Poo-Camaño G, et al. Herding cats in a FOSS ecosystem: a tale of communication and coordination for release management. J Internet Serv Appl. 2017. https://doi.org/10.1186/s13174-017-0063-2. Henk P. Penning. analysis of the strong set in the PGP web of trust. 2015. http://pgp.cs.uu.nl/plot/.