Re: Please revoke your signatures from Martin Kraff's keys

[Manoj Srivastava <srivasta@debian.org>]

On 25 May 2006, Henrique de Moraes Holschuh outgrape:

> On Thu, 25 May 2006, Manoj Srivastava wrote:
>> It has come to my attention that Martin Kraff used an
>> unofficial, and easily forge-able, identity device at a large key
> [...]
>
> Should you not have *signed* a message of this sort?  I certainly
> won't do anything until I know for sure it came from you.  And
> preferably, we need to hear Martin's side as well, before doing
> anything hasty (like either signing keys, or revoking signatures of
> keys).

        I do not think it matters who exactly it is who is issuing
 the appeal -- Matin's blog and Steve's message to debconf-discuss
 have all the information required to base ones decision (and steve's
 messages were signed).

>> Based on this, I strongly suggest that mere signatures on a new
>> maintainers key from a DD be also not enough, since people have
>
> We need an alternative, then.  Any ideas?

        This is a social education issue. One on one key signing by
 people who know the implication of signing keys is the only way to
 extend the web of trust.

> The easy answer are passports, but not everyone has passports with
> proper security devices (and I mean this as not everyone lives in a
> *country* which issues such passports, so they are effectively
> impossible to get for these people).  And we don't teach DDs how to
> verify those either (which we should, it is always a good idea to
> know these things. Any pointers?).

        Actually, passports are not really an answer (I have no idea
 what the passport of cameroon looke like, for example).  Given time,
 one can pay more attention to each document (I require at least two
 photo ID's issued by the government).  While even these can be
 forged, it won't be in the hurried atmosphere of a KSP.

        If you have to use caff, instead of doing things manually,
 there probably were too many people at the party.

>> now effectively proven how easily signatures may be obtained at a
>> large KSP by just about anyone with money for a easily faked ID.
>
> This has been a question of trusting enough people to not to game
> the system since day one, and you know it.  Fortunately, up until
> now, nobody had tried to do so... *that we know of*.

        Right. The issue also comes up that if a person is willing to
 subvert a process in which Debian's web of trust was being extended,
 what else would they do to "test" other systems? Show how clever they
 are by shoing us that we do not test our packages well enough by
 installing a back door? Show us that fake people can make it through
 NM? 

        One act of bad faith for a "joke" or a "test" makes one wonder
 how many other such acts are to follow "testing" the  rest of the
 system.

        manoj
-- 
Many of those dressed in the yellow robe are evil and unrestrained,
and the evil end up in hell because of their evil deeds. 307
Manoj Srivastava   <srivasta@debian.org>  <http://www.debian.org/%7Esrivasta/>
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C