The ZTRUST working group exists to educate and inform members of the IBM Z and LinuxONE community (mainframers) about the need for cryptographic trust in our IT ecosystem, starting with code signing and the issues around it.
This working group also exists to provide a "trust anchor" for the IBM Z community which can be used for verifying delivered code ("artifacts") and related content. This is especially vital for common-use code and modifications for which there is no existing code or living author.
One of the first questions people ask is, "How do I create a PGP key pair?".
For that, see the How-To guide.
For the second and third questions, see the Q&A.
"It's always been a matter of trust." --Billy Joel
Cryptography is easy. Key management is hard.
The keys are not significant. The trust is what matters.
As of this writing, many members of the Z community remain unfamiliar with trust anchors, cryptographic signing, PKI and PGP, and related topics. This working group will fill those gaps in understanding.
While many trust anchors, trust paths, and trust chains already exist, it is vital to establish a community trust anchor for those software deliverables and related services which fall outside of established commercial trust space.
-
documentation
-
PKI root certificates
-
PGP public keys
This WG communicates on the following channels:
- mailing list being created by Tom Slanda (LF program coordinator)
- no slack channel (but perhaps a Discord subchannel?)
The address of the email discussion list is ...
wg-ztrust-discussion@lists.openmainframeproject.org
This WG presently meets on Mondays from 10AM til 11AM Eastern. The meeting is hosted by Google Meet.
https://meet.google.com/aso-voon-sia
Also see the Open Mainframe Project public calendar.
Meeting notes, recordings, and any presentations made during WG meetings are available here.
In the late 1980s, we got asymmetric cryptography. The logic had been developed a decade earlier (two independent teams) but it took some time for the idea to catch on. Originally seen as a way to send very private messages, asymmetric crypto also gives us is the ability to form cryptographic trust relationships, where we can use digital media to assure authenticity.
At this time, there are three popular services which use asymmetric crypto: PKI (SSL/TLS), SSH Secure Shell, and PGP "Pretty Good Privacy". PKI and PGP support cryptographic trust for such things as code signing and that is the focus of this effort.
The pgp sub-directory has a number of PGP keys
contributed by members of the community. It forms a web-of-trust
because most of these PGP keys are cross-signed.
The signifcance of PGP is that it is person-to-person. It goes deeper than commercial or institutional trust. But establishing and maintaining personal trust can be time consuming.
The pki sub-directory has a number of PKI root certificates
contributed by members of the community. Some of these are signed
using PGP.
Most readers will understand that PKI is the differentiator between
http and https on the web. The latter is secured via SSL (now known
as TLS). Web servers speaking HTTPS must have a server certificate.
Technically, that certificate is a "PKI server certificate".
Ordinarily, PKI certificates are issued by a Certificate Authority (CA). There are cases where a CA is not available or where an in-house or home-grown CA is preferred. Root certificates found here are of that sort. When they are signed using PGP, consumers have assurance which they would not otherwise have.
Content in this repository that is eligible for copyright is released under the terms in our License file.