Hi folks, Now that I'm no longer in the middle of the act of *exchanging* fingerprints, nor am I scurrying around trying to arrange cooking space for dinner, I think I owe some people a more detailed explanation of why there are some keys I won't be signing. :) The normal keysigning protocol for this kind of party works like this: 1. everyone is mailed a copy of the sheet for the keysigning. 2. each person verifies that the fingerprint shown for their own key is correct in this file. 3. each person takes the checksum of the file they received in email, records it, and brings it with them to the KSP. 4. the "correct" checksum of the file is read aloud in front of the group by one of the participants. 5. participants pair off, exchanging IDs and verbally confirming to each other that the file they received in the mail contained the correct fingerprint for their key and that the checksum matched the one read out in front of the group. What actually happened to a number of people in this KSP was: 3. the person brings with them to the KSP a copy of the email, printed for them by someone else, with the checksum *filled in by someone else*. The problem with this is that I, as a potential keysigner, can see that the checksum on the paper they are holding was *not* written by them, therefore I do *not* know that the person I am exchanging with has properly verified before coming to the KSP that the checksum of the file they received in email is the same as the checksum that was read off in the group. It is *possible* that they have done this, but there is a very high probability that many of those using photocopies did not do so. This opens up the following attack vector: 1. the KSP organizer knows in advance the identities of a number of people who don't have printers and will be accepting copies of the paper from him. 2. the KSP organizer emails a file containing correct fingerprints to those participants. 3. the KSP organizer emails a file containing fingerprints for *substituted* keys to everyone else. 4. the KSP organizer prints out the file containing the correct fingerprints, and writes down on it the checksum of the file containing the incorrect fingerprints. 5. the victim claims to have verified a checksum that they did not. 6. the fraudulent key is signed, allowing the KSP organizer to impersonate the victim to the community. Now, some people may have done this check correctly in spite of using a printed copy, but in a large KSP with many novices I am simply not willing to trust that this is the case. Heck, *I* got the rationale wrong for this check when arguing with people at the time (sorry, Bdale and Andreas :), and I think I'm pretty darn smart, so if I got it wrong, I'm not going to trust blindly that other people got it right. ;) For this reason, I told people that I saw had such photocopies that I would not be signing their key based on this checksum. If I had thought it through more clearly, I might have asked them whether they had checked the file's checksum directly on their own computers and used this as confirmation. As it was, I instead requested that anyone with these photocopies that wanted me to sign their key exchange fingerprints with me later, because the 50 seconds allowed per person by the KSP schedule was not enough time to exchange full fingerprints with each person by hand in the line. Of course, since I left DebConf that night, few people were able to exchange fingerprints with me. I'm sorry that this will leave some of you without signatures from me; but even though the probability of Anibal trying to compromise the web of trust in this fashion is quite small, my signatures would not add positive value to the web of trust if I signed your keys based on the trustworthiness of any third party. Other people should be free to decide for themselves whether they trust Anibal's signatures, instead of having to implicitly trust Anibal by trusting my signatures. So if you don't get a signature from me this year, come to DebConf again next year and this time don't let Anibal fill out the checksum for you. :) -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. vorlon@debian.org http://www.debian.org/
Attachment:
signature.asc
Description: Digital signature