At Manoj's request, I've compiled a list of those KSP participants who, per my notes, I saw using photocopies that included the pre-filled checksum; this list is attached, for each of you to use (or not, as you wish) as input into your own keysigning decisions. You'll have to decide for yourself whether this is an attack vector you care about, or if I myself am just a no-good troublemaker trying to keep certain people out of the web of trust for my own evil reasons. ;) I cannot assert that this list is comprehensive. There were a number of KSP participants whose keys I'd previously signed, so I have no notes for them; there are others that I exchanged fingerprints with directly so haven't necessarily noted that they were using the photocopy; and there was at least one person for whom I botched the notes on my sheet such that I *think* he was using a photocopy but I'm not certain. (I won't be signing his key because of my own doubts, but I'm not going to spread further questionable information to others.) Also, whether or not you were using one of the photocopied sets, if you did *not* personally check the checksum of the file you received against the checksum announced at the KSP, it is still advisable that you verify the checksum now in order to protect your own identity and help us detect any manipulations of the KSP. Checking this will not get you a signature from me because I have no way to even trust your *email* address without an in-person exchange of fingerprints, but at least if there *is* a problem you can let people know about it to prevent your on-line identity from being stolen. If you do not have the original copy of ksp-dc6.txt that was emailed to you, you should be able to download it from <http://debconf6.debconf.org/ksp/ksp-dc6.txt>. This file should contain a correct fingerprint for your GPG key, and should have the following checksums: MD5 Checksum: 9C BB 4D 52 76 CD C1 C5 AF 65 F0 7F 53 89 C5 77 SHA1 Checksum: 6D1F 65C8 6C04 D12A 9B3F B81D B953 212E D5C5 31DE This md5sum is the same one that was read aloud at the KSP and is the same one that was pre-filled on the photocopies that were distributed. If your fingerprint in ksp-dc6.txt is incorrect, or if the checksum of this file does not match the checksum listed above and on your photocopy, please let us know. Thanks, -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. vorlon@debian.org http://www.debian.org/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The following people were present at the DC6 keysigning party and used photocopies provided to them by a third party with the md5 checksum pre-filled for them. This leaves doubt to the validity of their assertion that the checksum of the file they received containing their proper fingerprint matches the checksum read off publically at the keysigning party. 036a [ ] Fingerprint OK [ ] ID OK pub 1024D/C97E7015 2005-08-15 Key fingerprint = 66CB 6BF4 7C7C EC0E DA60 06C8 87E8 9061 C97E 7015 uid Ernesto Nadir Crespo Avila (seraph) <ecrespo@ujap.edu.ve> uid Ernesto Crespo (seraph1) <ecrespoa@yahoo.es> uid Ernesto Nadir Crespo Avila (seraph1) <ecrespo@uc.edu.ve> uid Ernesto Nadir Crespo Avila (seraph1) <ecrespo@debianvenezuela.org> uid Ernesto Nadir Crespo Avila (seraph1) <ecrespo@cantv.net> uid Ernesto Nadir Crespo Avila (seraph1) <ecrespo@gmail.com> 040a [ ] Fingerprint OK [ ] ID OK pub 1024D/BD76E77F 2005-08-12 [expires: 2007-08-12] Key fingerprint = F899 5A87 C648 3F38 5107 79F1 B97B 7C4D BD76 E77F uid Ralph Amissah <ralph.amissah@gmail.com> uid Ralph Amissah <ralph@amissah.com> 041a [ ] Fingerprint OK [ ] ID OK pub 1024D/D626ABB6 2004-08-02 [expires: 2007-08-02] Key fingerprint = D02D 8C0C ADBB A69B BF0F 6EAD B2B0 5F45 D626 ABB6 uid Marcela Tiznado <mtiznado@linux.org.ar> 045a [ ] Fingerprint OK [ ] ID OK pub 1024D/6A372DF6 2005-03-01 Key fingerprint = DB71 A7A1 3DB2 9A5A 3A40 63DF 75DC A23C 6A37 2DF6 uid V�or P�z Pereira <vperez@debianvenezuela.org> 046a [ ] Fingerprint OK [ ] ID OK pub 1024D/5FA99A33 2004-04-11 Key fingerprint = 368E E49F E9F7 F7B8 94C6 BD9E 724F BDA3 5FA9 9A33 uid Orlando Fiol <fiolorlando@gmail.com> uid Orlando Fiol (overflow) <fiolorlando@cantv.net> uid Orlando Fiol <ofiol@ikirux.com.ve> 047a [ ] Fingerprint OK [ ] ID OK pub 1024D/0E60DFAD 2005-11-11 Key fingerprint = D26B B5F1 2531 23B2 2846 65B5 5A66 27B6 0E60 DFAD uid Manuel Garcia Fernandez (mannyto) <mannyto@gmail.com> 074a [ ] Fingerprint OK [ ] ID OK pub 1024D/3F382AFA 2006-03-31 Key fingerprint = 997A 416F 8229 8DB2 6BFC C1D6 A65F D7AF 3F38 2AFA uid Ivan Alfredo Zenteno Aguilar (Creada el 31 de Marzo del 2006 a las 2:04pm) <k001.operator@gmail.com> 090a [ ] Fingerprint OK [ ] ID OK pub 1024D/4E2ECA5A 2004-09-08 Key fingerprint = CA4F D469 C047 165A 1A55 CCD7 5E6D EF1C 4E2E CA5A uid Moritz Muehlenhoff <jmm@debian.org> uid Moritz Muehlenhoff <jmm@inutil.org> 093a [ ] Fingerprint OK [ ] ID OK pub 1024D/A504FECA 2006-03-19 Key fingerprint = C426 23B7 60FA 5999 693F 0782 690D 6214 A504 FECA uid Tiago Bortoletto Vaz <tiagovaz@gmail.com> uid Tiago Bortoletto Vaz <tiago@debian-ba.org> 098a [ ] Fingerprint OK [ ] ID OK pub 1024D/1D1D1702 2005-07-11 Key fingerprint = 271F 84DF D041 734D 7E99 BC03 C40A D37B 1D1D 1702 uid Tassia Camoes Araujo <tassia@debian-ba.org> 113a [ ] Fingerprint OK [ ] ID OK pub 1024D/F3E857E7 2006-02-15 Key fingerprint = B6F9 6F37 3A15 7D95 EA32 2E09 8DCC A2F1 F3E8 57E7 uid Patricia de Vasconcelos Felix (chave para DebConf) <patyfelix02@yahoo.com> 116a [ ] Fingerprint OK [ ] ID OK pub 1024D/7D33D13F 2006-05-04 Key fingerprint = E481 02CC 2065 6CD2 DCFF 2D8F A0F5 A0E8 7D33 D13F uid Ana Isabel Delgado Dom�uez <anubis@debianvenezuela.org> 121a [ ] Fingerprint OK [ ] ID OK pub 1024D/9741C03A 2004-11-19 Key fingerprint = 1764 3C6F B433 B2DD 9029 98B1 8E6B 58D3 9741 C03A uid Erick Ivaan Lopez Carreon (www.fsl.org.mx) <erick@fsl.org.mx> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEdAcMKN6ufymYLloRAh0hAJ4qBq8MYRlLICm4VG1PBkDF2pOGBwCeMthh 8av0h0xvcarQTUCwOh5wdpA= =1RIT -----END PGP SIGNATURE-----
Attachment:
signature.asc
Description: Digital signature