GPG functionality should support verification via signature

Description

Today, the only means of getting the coveted green Verified sticker that we all crave is by ensuring our GitLab email address is present on our public key. I posit that this is not at all desirable for a couple of reasons.

Reason 1 - Security

Performing a string comparison of the two email addresses is a great first step to demonstrate the feature, but it's not really the sort of production solution we need. The users email address, while verified by GitLab, is only a "soft" verification - technical security if you will. Whereas, the introduction of digital signatures enables us to up our game by entering into the world of "hard" verification - cryptographic security. technical security is easy to bypass and it's often hamstrung by it's dimwitted cousin, process-based security. cryptographic security is much more difficult to circumvent.

Of course, it's always a moving goal post, we rarely find ourselves in a position where we can offer perfect cryptographic security without relying on a bit of technical security - but we can always do better. This is one of those places.

By requesting a signed message from the possessor of the uploaded public key, we gain assurance of two things.

  1. The user uploading the key has been authenticated by a technical security measure.
  2. The key holder is solidly aware that they are binding their GPG public key to the given GitLab user account and proves it using cryptographic security.

Reason 2 - Privacy

Personally, I do not place my email address in my public keys. It's an act of preference, since I share my public keys on the Internet and the Internet is full of people who like to send me advertisements for a variety of goods as well as malware of all sorts. I choose to maintain a shred of privacy by asserting my email address through signature to those that I trust with my email address, not everyone. GitLab is forcing me to include my email address in my public key to obtain the coveted green verified sticker

Proposal

I am rather delighted that GitLab has taken initiative with GPG support. This feature, though popular with the cipher-punk community, is a major win for large enterprises as we move to shift them off of technical security and process-based security onto strong cryptographic security.

I propose that GitLab challenge the upload of any PGP public key with a message that must be signed with the associated key (or one of it's non-revoked sub-keys). This message should include at a minimum:

  • A friendly message explaining, in an understandable way, what the signer is signing.
  • A fully qualified representation of the user and the instance of GitLab (eg. mmaguigan@my-on-premise-gitlab.widgets.example.com)
  • The date of challenge in combined date and time ISO-8601 UTC.
  • The date of challenge expiration in combined date and time ISO-8601 UTC.
  • A challenge nonce associated with the challenge.
  • The GPG fingerprint of the public key being challenged.
  • [maybe] a counter indicating the number of times the user has added a GPG signature to their account.
  • Not entirely convinced this one is justified.

An example of another product performing such assertions is keybase.io