Speakers
Description
In any open source software project, maintainer identity is becoming a critical problem. How can you be confident that someone contributing a patch (or PR) is not a malicious adversary? Attacks like the XZUtils compromise have heightened the concern around this sort of software supply chain attack, and the “North Korean developer” problem plagues both companies and open source projects.
Today, the kernel uses the kernel.org PGP web of trust to mitigate this problem. However, the technology that is used is outdated, leading to a system that is neither scalable nor private. In this talk, we propose using a system built on cryptographic proofs of personhood as a better alternative for a cryptographic web of trust. Informally speaking, cryptographic proofs of personhood allow us to build a decentralized, private reputation system, giving us all of the power of the existing web of trust, plus a whole new suite of functionalities.
We will explain the cryptographic principles behind proofs of personhood at a high level in a way that non-cryptographers can understand. Then, we will explain how this technology can be applied to solve the web of trust problem. Finally, we will demonstrate a fully functional, large implementation of proofs of personhood using entirely open source technology (standards and code) hosted in Linux Foundation Decentralized Trust. The demonstration will show that such a solution is ready to be adopted by kernel.org for the web of trust.