[Debconf-discuss] KSP post-mortem: why I won't be able to sign some keys

To: debconf-discuss@lists.debconf.org
Subject: [Debconf-discuss] KSP post-mortem: why I won't be able to sign some keys
From: Steve Langasek <vorlon@debian.org>
Date: Tue, 23 May 2006 22:26:34 -0700
Message-id: <[🔎] 20060524052634.GB3701@mauritius.dodds.net>

Hi folks,

Now that I'm no longer in the middle of the act of *exchanging*
fingerprints, nor am I scurrying around trying to arrange cooking space for
dinner, I think I owe some people a more detailed explanation of why there
are some keys I won't be signing. :)

The normal keysigning protocol for this kind of party works like this:

1. everyone is mailed a copy of the sheet for the keysigning.
2. each person verifies that the fingerprint shown for their own key is
   correct in this file.
3. each person takes the checksum of the file they received in email, records
   it, and brings it with them to the KSP.
4. the "correct" checksum of the file is read aloud in front of the group by
   one of the participants.
5. participants pair off, exchanging IDs and verbally confirming to each
   other that the file they received in the mail contained the correct
   fingerprint for their key and that the checksum matched the one read out
   in front of the group.

What actually happened to a number of people in this KSP was:

3. the person brings with them to the KSP a copy of the email, printed for
   them by someone else, with the checksum *filled in by someone else*.

The problem with this is that I, as a potential keysigner, can see that the
checksum on the paper they are holding was *not* written by them, therefore
I do *not* know that the person I am exchanging with has properly verified
before coming to the KSP that the checksum of the file they received in
email is the same as the checksum that was read off in the group.  It is
*possible* that they have done this, but there is a very high probability
that many of those using photocopies did not do so.  This opens up the
following attack vector:

1. the KSP organizer knows in advance the identities of a number of people
   who don't have printers and will be accepting copies of the paper from
   him.
2. the KSP organizer emails a file containing correct fingerprints to those
   participants.
3. the KSP organizer emails a file containing fingerprints for *substituted*
   keys to everyone else.
4. the KSP organizer prints out the file containing the correct
   fingerprints, and writes down on it the checksum of the file containing
   the incorrect fingerprints.
5. the victim claims to have verified a checksum that they did not.
6. the fraudulent key is signed, allowing the KSP organizer to impersonate
   the victim to the community.

Now, some people may have done this check correctly in spite of using a
printed copy, but in a large KSP with many novices I am simply not willing
to trust that this is the case.  Heck, *I* got the rationale wrong for this
check when arguing with people at the time (sorry, Bdale and Andreas :), and
I think I'm pretty darn smart, so if I got it wrong, I'm not going to trust
blindly that other people got it right. ;)

For this reason, I told people that I saw had such photocopies that I would
not be signing their key based on this checksum.  If I had thought it
through more clearly, I might have asked them whether they had checked the
file's checksum directly on their own computers and used this as
confirmation.  As it was, I instead requested that anyone with these
photocopies that wanted me to sign their key exchange fingerprints with me
later, because the 50 seconds allowed per person by the KSP schedule was not
enough time to exchange full fingerprints with each person by hand in the
line.

Of course, since I left DebConf that night, few people were able to exchange
fingerprints with me.  I'm sorry that this will leave some of you without
signatures from me; but even though the probability of Anibal trying to
compromise the web of trust in this fashion is quite small, my signatures
would not add positive value to the web of trust if I signed your keys based
on the trustworthiness of any third party.  Other people should be free to
decide for themselves whether they trust Anibal's signatures, instead of
having to implicitly trust Anibal by trusting my signatures.

So if you don't get a signature from me this year, come to DebConf again
next year and this time don't let Anibal fill out the checksum for you. :)

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- [Debconf-discuss] Follow-up: additional checks you can do [was: KSP post-mortem: why I won't be able to sign some keys]
  - From: Steve Langasek <vorlon@debian.org>
- Re: [Debconf-discuss] KSP post-mortem: why I won't be able to sign some keys
  - From: Aníbal Monsalve Salazar <anibal@v7w.com>
- Re: [Debconf-discuss] KSP post-mortem: why I won't be able to sign some keys
  - From: Holger Levsen <debian@layer-acht.org>

Prev by Date: Re: [Debconf-discuss] O'reilly spare books? (in spare bags)
Next by Date: [Debconf-discuss] Follow-up: additional checks you can do [was: KSP post-mortem: why I won't be able to sign some keys]
Previous by thread: Re: [Debconf-discuss] move schedule to wiki.d.o
Next by thread: [Debconf-discuss] Follow-up: additional checks you can do [was: KSP post-mortem: why I won't be able to sign some keys]
Index(es):
- Date
- Thread