Single-point-of-failure

Posted Oct 22, 2024 9:20 UTC (Tue) by kleptog (subscriber, #1183)
In reply to: Single-point-of-failure by mirabilos
Parent article: Python PGP proposal poses packaging puzzles

In the end it's a trust chain, whether via random people in a web of trust, or some corporate entity which is trusted to identify other users. But ownership of an email is really a poor proxy of identity, if commonly used.

The rest test would be if this can support the (in-progress) European digital identity. If it's good enough for issuing digital drivers licenses, it's got to be good enough for uploading packages. Basing everything on a few US corporates is a different kind of single point of failure.

Single-point-of-failure

Posted Oct 22, 2024 21:31 UTC (Tue) by mirabilos (subscriber, #84359) [Link]

tbh I trust my government even less, at least on digital things

Single-point-of-failure

Posted Oct 25, 2024 9:07 UTC (Fri) by milesrout (subscriber, #126894) [Link] (7 responses)

>European digital identity

Does this mean that I get to choose either to trust Microsoft, Google, and Facebook, or... Hungary?

Single-point-of-failure

Posted Oct 25, 2024 21:37 UTC (Fri) by kleptog (subscriber, #1183) [Link] (5 responses)

> Does this mean that I get to choose either to trust Microsoft, Google, and Facebook, or... Hungary?

Like I said, if banks can trust eID to allow you to open new bank accounts, sign documents and take out loans, surely it must be good enough for uploading to PyPI?

No bank is going to allow me open a bank account by authenticating with my Gmail account. I find the trust in Microsoft/Google/Facebook somewhat concerning. None of them care about your identity at all, only your credit card.

Single-point-of-failure

Posted Oct 29, 2024 8:59 UTC (Tue) by taladar (subscriber, #68407) [Link] (4 responses)

Banks just financially absorb a certain amount of risk. A 99.9% solution is good enough for them. It is not good enough for a protection of the software supply chain where a single central compromise could affect millions of systems.

Single-point-of-failure

Posted Oct 29, 2024 12:01 UTC (Tue) by pizza (subscriber, #46) [Link] (3 responses)

> Banks just financially absorb a certain amount of risk. A 99.9% solution is good enough for them. It is not good enough for a protection of the software supply chain where a single central compromise could affect millions of systems.

As opposed to... protection of the financial supply chain where a single central compromise could affect millions of people, and billions of Euros?

Single-point-of-failure

Posted Oct 30, 2024 8:57 UTC (Wed) by taladar (subscriber, #68407) [Link] (2 responses)

But a compromise of a single bank account won't do that.

Single-point-of-failure

Posted Oct 30, 2024 11:39 UTC (Wed) by pizza (subscriber, #46) [Link] (1 responses)

> But a compromise of a single bank account won't do that.

But a compromise of the central national digital identity provider that the bank (or rather, *all* banks) uses will.

Remember, this government-provided identity is sufficient for literal life-and-death (and the state forcibly stripping you of your freedom) situations.

Single-point-of-failure

Posted Oct 30, 2024 16:44 UTC (Wed) by kleptog (subscriber, #1183) [Link]

A bank only needs to verify your identity once, when the account is opened. After that they have their own login systems which have worked just fine for years. Using a government provided identity every time to log into bank account is I guess possible, but not really the goal.

And it's only for online things. Offline your physical passport trumps whatever any online system says.

Single-point-of-failure

Posted Oct 29, 2024 13:08 UTC (Tue) by Avamander (guest, #152359) [Link]

You could also choose Finland, Estonia, Latvia or any others that aren't stuck in stone age with paper signatures.