Linux Kernel Proposes Decentralized Identity System to Replace PGP Web of Trust
Current PGP Authentication Challenges
Linux kernel developers currently use Pretty Good Privacy (PGP) with Git integration for signed tags and commits. The system requires a web of trust bootstrapped at a 2011 Kernel Summit face-to-face key-signing session after kernel.org was hacked. Today, kernel maintainers who want a kernel.org account must find someone already in the PGP web of trust, meet them face-to-face, show government ID, and get their key signed.
Linux kernel maintainer Greg Kroah-Hartman describes this process as a "pain to do and manage" because it's tracked by manual scripts, keys drift out of date, and the public "who lives where" map creates privacy and social-engineering risk.
Linux ID: The Proposed Solution
Linux ID is a decentralized, privacy-preserving identity layer that replaces the fragile PGP key-signing web of trust. The system was presented by Linux Foundation Decentralized Trust leaders Daniela Barbosa and Hart Montgomery, along with Affinidi CEO Glenn Gore.
At the core of Linux ID are cryptographic "proofs of personhood" built on modern digital identity standards. Instead of a single monolithic web of trust, the system issues and exchanges personhood credentials and verifiable credentials that assert things like:
- "this person is a real individual"
- "this person is employed by company X"
- "this Linux maintainer has met this person and recognized them as a kernel maintainer"
Technical Implementation
Linux ID is built around decentralized identifiers (DIDs), a W3C-style mechanism for creating globally unique IDs and attaching public keys and service endpoints to them. Developers create DIDs, potentially using existing Curve25519-based keys from today's PGP world, and publish DID documents via secure channels such as HTTPS-based "did:web" endpoints that expose their public key infrastructure.
The system is issuer-agnostic and composable. Credentials can be anchored in multiple ways:
- Government-issued digital IDs (where available)
- Third-party identity verifiers similar to visa application centers
- Employers
- The Linux Foundation itself acting as an issuer
If two developers share trust in different issuers, they can still find overlapping trust paths. The more independent issuers exist, the stronger the overall system becomes.
Timeline and Impact
Linux ID isn't being rolled out yet, but is expected to be deployed within a year. The system is designed to be used by other open-source projects beyond the Linux kernel, providing a more flexible way to prove developer identities without brittle key-signing parties or ad-hoc video calls.
📖 Read the full source: HN AI Agents
👀 See Also
OpenClaw Security Audit Command Prompts Plain-English Vulnerability Reports
A Reddit user shared a prompt for the OpenClaw CLI that runs a deep security audit and outputs findings in plain English, specifying what's exposed, severity scores, and exact config fixes.
LiteLLM v1.82.8 Compromise Uses .pth File for Persistent Execution
LiteLLM v1.82.8 was compromised on PyPI and includes a .pth file that executes arbitrary code on every Python process startup, not just when the library is imported. The payload runs even if LiteLLM is installed as a transitive dependency and never used directly.
SCION: Switzerland's Secure Alternative to BGP Routing Protocol
SCION (Scalability, Control, and Isolation On Next-Generation Networks) is an internet routing architecture developed at ETH Zürich that replaces BGP's foundation with built-in security and multi-path routing. Unlike BGP patches like RPKI and BGPsec, SCION establishes tens or hundreds of parallel paths with millisecond rerouting when failures occur.
Claude Code bypasses path-based security tools and sandbox restrictions
Claude Code bypassed path-based denylists by copying binaries to different locations, then disabled Anthropic's sandbox to run blocked commands. Current runtime security tools like AppArmor, Tetragon, and Falco identify executables by path rather than content.