Building Trust
I consider it a distinct honour to have been welcomed onto Shibboleth’s stand-up meeting yesterday: in hopes that I could get some clarification on a PGP key I didn’t recognize, but saw being used to sign their software.
The stand-up was very much like the ones I organize at work, only a lot more refined and a bit more relaxed. All things being equal, I think I would largely attribute the atmosphere to the convergence of experts who share the same values and thoroughly understand the ramifications of their actions.
There’s the 99% of the world that doesn’t care about this stuff, and then there’s the 1% that do care. — Scott Cantor
As Scott alludes to in one of his podcast recordings, security is not just concerned with preventing people from doing things, but it is also about enabling people to do things that they couldn’t do otherwise, had we not carved out a secure path for them. And as incredibly disrespectful disregard and ridicule for our security concerns and passions is, perhaps the need to care only requires a 1% commitment to still be effective and enabling for the 99% who don’t. I mean, that’s what I do at work: I’ve been securing and enabling over 1.2+ million login sessions per year since 2017; and it only takes me a few minutes of my day to scale that number out even further across new services as often as the organization needs me to; and nobody else actually needs to care how any of this works because I set it up to work that way.
It was because I cared that I was put on Shibboleth’s agenda: they were happy to verify fingerprints for me, but it also served a dual purpose in providing Ian Young an opportunity to revisit their key management practices with the group (c. GEN-276, GEN-277). They seemed pleasantly surprised to find another 1% spec from some far off distant galaxy somewhere, now sitting with them; faced with the same challenges at work.
I know who Scott Cantor at OSU is, but who the heck is Rod Widdowson at steadingsoftware.com and why is his name on this thing?!?
I presumed Scott’s name would have been on the installers as Release Manager, but as I sat and listened to everyone in the group over the duration of the entire call, I learned the names, roles, personalities, and even voices of each developer present, to a much higher degree than most people will ever.
In truth, this was the first time in my life (since being exposed to GNU Privacy Guard back in 2003) that I had ever performed any kind of key verification; and when my name was called up, it felt like quite the field day: going around collecting assurances and mapping out the early beginnings of my own web of trust. Ironically, the developer whom I was originally auditing also turned out to be what I would consider one of the core defenders of the project: laboring hundreds of hours with the team to mitigate endless supply chain threats; who also seemed to work closely with another core defender, Ian Young, who himself has published his own Key Signing Policy which simply knocks it out of the park for me.
As a deployer of high-risk technology (i.e. identity management, session management, access management, connection security, high availability, cryptography, etc.), and engineer of such, I simply do not tolerate foolishness, negligence, hastiness, or pride. And when I read things like the White House’s recent Executive Order on Improving the Nation’s Cybersecurity (May 12, 2021), all that comes to mind is, “Great. Now the government is getting involved. Start getting your crap together, or get out.”
Building trust requires due diligence. Functionality is not the goal. I’m not a Shibboleth developer (yet), but wouldn’t you know it: where the 1% are, who do care about the details and act upon them, there you’ll find some of the most trustworthy people whose signatures would be as good as your own, and maybe even better.
— MB