This writeup is the basis for the gpg key handling vote. The primary vote will allow selection of which, if any, board positions should hold the existing GPG Key
Details on secondary vote, and escrow, lower down.
Voters will be able to choose each board position as a separate choice, thus allowing them to select any possible combination of positions (including none) that they feel should hold the key.
This vote is for the _current_ GPG catalog signing key. In the future, there will be new PKI infrastructure put in place and catalog signer(s) will be issued new keys appropriately at that time. As this may take time to implement properly, the current key is still a critical resource and we should decide how it is maintained within the community.
Pros to having the key held by the board
- The board should maintain all critical records such as keys and passwords to infrastructure
- Provides redundancy for an important resource
- Places a key resource within the realm of delegation
Cons to having the key held by the board
- The key is already redundantly held
- Once the key is given to someone, you cant just "ask for it back", and revoke their right to use it — You have to invalidate the key globally, which would require all CSW users to acquire a new key somehow.
- Boards, CEOs, and presidents of companies, do not usually hold root passwords, etc. personally. The standard practice is usually to delegate responsibility to the people who actually use them.
Key escrow, vs directly held
The key escrow referred to, is only a method of splitting up key access across multiple members of the board, IF multiple board members holding it is approved. Cooperation of all of an escrow set would be required, to use a key.
The escrow technology we are currently aware of, does not address the issue of disabling "ex" board members access to the key. The escrow access will continue to be available to a board member, even after their term of office has ended.
Please be aware of the following unfortunately complex, but real, scenarios.
2011: board members A, and B, but not C, have escrow access. 'A' gets key part 'a', and 'B' gets key part 'b'. Once parts 'a' and 'b' are combined, key can be used.
2012: board member 'B' gets re-elected. new board members 'D' and 'E' are elected.
'B' gets key part 'a', and board member 'D', gets key part 'b'.
However, 'B' still has key part 'b' from his previous term. He then has both parts of the key, and can use it all by himself.
There are at least two other "problem" scenarios with escrow via the proposed means: 1 being where two ex-board member escrow holders collude to use a still-valid key. The other one being where two re-elected, key-escrow-holding board members both previously held the same key part, so the option of "just give them the key part they had previously" cannot be taken.
Participation: 8 voters.
- Should the Secretary position hold the key? Result: Yes (5 vs 3)
- Should the Treasurer position hold the key? Result: Yes (7 vs 1)
- Should the President position hold the key? Result: Tie (4 vs 4)
- Should the key be held by board in escrow? Result: Yes (6 vs 2)