Nilesh Patra <nilesh@mailbox.org> wrote on 15/11/2023 at 03:49:12+0100: > On 15 November 2023 5:10:50 am IST, Nicholas D Steeves <sten@debian.org> wrote: >>On the surface, this means Proton Mail (free account) is great! And for >>general use, I feel like we should be supportive of them; however, I'm >>starting to wonder if we need to recommend against the use of Proton >>mail for Debian work for the following two reasons: >> >>1. I've received a report that this provider is not appropriate for DM >>and DD use, because the key pair is stored on their servers. Ie: The >>applicant doesn't control the means to validating identity and >>authorship. > > 100% agreed. > > I once advocated a DM who uses protonmail and a few months (after they > became a DM), I came to know about PM's storing keys in the server. > So I quickly checked with the person in question if they pushed their > keys to PM's servers, and to my utter horror, they did. > > I quickly made the keyring maint know and their keys were removed > immediately and a new pair of keys were later added back after a few > months when enough trust was established for those. > > This is not the only instance I faced this. Another individual whom I > advocated for being a DM also did this, but we found out about it > before the process started. > > People who are new to the GPG thing end up thinking it's okay to add > their keys to PM - which is fine, but this is as good as compromised > from the debian view which I think is correct. > > Due to this, I'm always skeptical whenever I receive a PGP signed or > encrypted email from protonmail. Following this specific event, the discussions we had between FD/DAM/Keyring Maint seemed clear: a GPG key for which the private component can't be trusted to be owned/managed/accessible only by the DD/DM to whom it's supposed to belong can't stay in the keyring as it can't be trusted. -- PEB
Attachment:
signature.asc
Description: PGP signature