Re: [Debconf-discuss] Please revoke your signatures from Martin Kraff's keys
Hi,
I think the core issue here is if we deem presenting purchased
identification at an event designed to extend the web of trust
acceptable behaviour.
I check photographs, name, age, and expiry dates on ID
presented. I did not include document verification in that checklist,
since it is something I do not think we can do, in about a minute or
less, with no instruments. I have some sample ID that purports to be
for Donald Duck -- with a human picture.
On 25 May 2006, Mike Hommey told this:
> On Thu, May 25, 2006 at 04:16:24PM -0500, Manoj Srivastava <srivasta@acm.org> wrote:
>> The KSP was cracked, People signed a key without ever looking
>> at proper, official ID. You can try and save face by calling it
>> whatever you want, but that does not change the reality.
>
> Manoj, how do *you* ensure the ID that someone presents you is a
> proper, official ID ?
>
> Actually, the whole thing is that if you want to subvert the key
> signing process, you can do it pretty easily. A lot of people buy
> fake passports or IDs for whatever reasons ; subverting a KSP is
> just a new kind of reason.
>
This is the crux of the issue. I have always maintained that
it is possible to fool me; but I assumed that I moved in circles
where presenting puchased identification papers was a phenomena that
did not occur. If presentation of purchased ID's is acceptable, then
the only way of being surew about official papers is to only sign
keys of people who have papers that I can recognize as being
official -- which means, for me, Indian and US passports. And even
then, I am sure the forgeries are beyond my ability to recognize.
On 25 May 2006, Steve Langasek said:
> He is acknowledging testing people in real-world conditions to
> determine whether they have acceptably strict standards for ID
> checking.
By presenting purchased ID's in lieu of official one. Sounds
exactly like the kinds of rationale crackers present -- testing real
world deployments of machines for the peoples own good.
> Accusing him of duping people, of being a braggart for publishing
> the results of this experiment, and of acting in bad faith
> discourages people from testing the quality of conventional
> keysigning practices in the future. Shouldn't we as a community
> *want* to know about problems with the strength of people's ID
> checking, *before* someone smuggles a fraudulent identity into our
> ranks?
If I can come to you with a purchased ID's are you so sure you
can tell a fakeID from a real one?
Anyone can, thanks to the powers of the internet, find
artisans that can, probably illegally, give you very official looking
documents that are impossible for a lay person to tell apart.
> Where is the indignant outrage towards those 9 out of 10 keysigners
> who apparently had no objection to signing a key based on a
> trumped-up ID card with no legal validity? If you really care about
> the strength of our web of trust, *they* are who should be named and
> shamed here.
Are you arguing that would be a real world test to see if you
can spot forged ID's, and laudable? If so, when you come u0p to TN
for the food conf, well have a wager. It is possible to fool _anyone_
with high enough quality purchased ID's. And from all reports, the ID
looked pretty darned official.
> Of *course* this was done under the laxest possible keysigning
> circumstances. Pre-announcing that someone at the keysigning party
> will be showing non-government ID is like warning students of locker
> inspections a week in advance -- you might get a warm fuzzy that all
> the school's library books are turned in, but you're not going to
> catch any drug dealers that way...
I think that friends at my work can produce documents that
none of you can detect. I still think that purchasing identification
from non-official channels goes beyond the pale, but I appear to be
in the minority. I'll just institute far harder key signing rules
when it comes to Debian people, since what is commonly accepted to be
nefarious behaviour in security circles does not seem to be the case
in Debian.
> Any injury done to the people at the KSP they have done to
> themselves. It's more analagous to standing next to an icy walkway
> and studying how many of the old ladies on crutches walk out on
> their own and break their hips, vs. how many ask for his assistance
> across. You might think it cruel, but I don't see any justification
> for calling it malicious.
I see. I hereby challenge you to detect fake official looking
documents I'll present to you (just ignore the word sample emblazoned
across them, since I got it from work), the next time you are in TN.
> If you consider it a foregone conclusion that people at KSPs,
> including DDs, will exercise poor keysigning practices, why attend
> the KSP?> I attend KSPs because I'm comfortable that *I* am still
> checking IDs and fingerprints properly for all keys I sign, in spite
> of the circumstances.
These are not poor keysigning techniques, unless you accept
all ID document verification techniques rely on a gentleman's
agreement about not presenting purchased ID's. As I said, I can show
you sample identification that I challenge you to tell me why my name
is not Donald Duck.
On 26 May 2006, David Moreno Garza uttered the following:
> I brought my Mexican passport to the KSP since I don't want to
> explain to everybody what my Mexican voting card is (and I didn't
> want people to doubt on it, as I did to locals in Porto Alegre and
> Helsinki). Bringing my passport issued by the Mexican government,
> sealed by some of the countries I have visited; bringing my US
> tourist visa, issued by the American government; having my Mexican
> voting card (which is official in MX); and any other non-official ID
> I could carry (driver's license, university card, work ID, etc) are
> documents I thought it would be great to have so nobody could doubt
> that I am the person I am saying I am :-) Because of this, I always
> requested for passports to check everybody's identity. I'm a bit
> upset also because some people think I should already know some
> documents.
Now that presenting purchased Identification that looks
official is in play, I am not sure if passports can be trusted. I
have, for example, no idea what a passport for Cameron looks like --
so really, I can only sign keys from people presenting an Indian, or
US passports, and having drivers licesnses from from MA, AL, or TN.
Unless, of course, presenting purchesed ID's were frowned
upon, and a genteman's agreement existed in Debian to not try to fool
the potential signer, which appears not to be feasible, given the
responses to my concerns.
Since presenting ID's that one has purchased is apparently OK,
this effectively shuts down any key signing between people who are
strangers, or come from different countries.
On 26 May 2006, Josselin Mouette stated:
> But should I revoke signatures from developers who showed me a US
> driver license, a piece of plastic I could fake with my inkjet
> printer?
Do you really have an alternate course you can take, since now
we admit that presenting such ID's are OK, and the person perhaps has
not yet completed their study and published the hoax? (only half ;)
manoj
--
With all the fancy scientists in the world, why can't they just once
build a nuclear balm?
Manoj Srivastava <srivasta@acm.org> <http://www.datasync.com/%7Esrivasta/>
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
Reply to: