[Debconf-discuss] Follow-up: additional checks you can do [was: KSP post-mortem: why I won't be able to sign some keys]

To: debconf-discuss@lists.debconf.org
Subject: [Debconf-discuss] Follow-up: additional checks you can do [was: KSP post-mortem: why I won't be able to sign some keys]
From: Steve Langasek <vorlon@debian.org>
Date: Wed, 24 May 2006 00:20:06 -0700
Message-id: <[🔎] 20060524072006.GA9144@mauritius.dodds.net>
In-reply-to: <[🔎] 20060524052634.GB3701@mauritius.dodds.net>
References: <[🔎] 20060524052634.GB3701@mauritius.dodds.net>

At Manoj's request, I've compiled a list of those KSP participants who, per
my notes, I saw using photocopies that included the pre-filled checksum;
this list is attached, for each of you to use (or not, as you wish) as input
into your own keysigning decisions.  You'll have to decide for yourself
whether this is an attack vector you care about, or if I myself am just a
no-good troublemaker trying to keep certain people out of the web of trust
for my own evil reasons. ;)

I cannot assert that this list is comprehensive.  There were a number of KSP
participants whose keys I'd previously signed, so I have no notes for them;
there are others that I exchanged fingerprints with directly so haven't
necessarily noted that they were using the photocopy; and there was at least
one person for whom I botched the notes on my sheet such that I *think* he
was using a photocopy but I'm not certain.  (I won't be signing his key
because of my own doubts, but I'm not going to spread further questionable
information to others.)

Also, whether or not you were using one of the photocopied sets, if you did
*not* personally check the checksum of the file you received against the
checksum announced at the KSP, it is still advisable that you verify the
checksum now in order to protect your own identity and help us detect any
manipulations of the KSP.  Checking this will not get you a signature from
me because I have no way to even trust your *email* address without an
in-person exchange of fingerprints, but at least if there *is* a problem you
can let people know about it to prevent your on-line identity from being
stolen.

If you do not have the original copy of ksp-dc6.txt that was emailed to you,
you should be able to download it from
<http://debconf6.debconf.org/ksp/ksp-dc6.txt>.  This file should contain a
correct fingerprint for your GPG key, and should have the following
checksums:

MD5 Checksum: 9C BB 4D 52 76 CD C1 C5  AF 65 F0 7F 53 89 C5 77
SHA1 Checksum: 6D1F 65C8 6C04 D12A 9B3F B81D B953 212E D5C5 31DE

This md5sum is the same one that was read aloud at the KSP and is the same
one that was pre-filled on the photocopies that were distributed.  If your
fingerprint in ksp-dc6.txt is incorrect, or if the checksum of this file
does not match the checksum listed above and on your photocopy, please let
us know.

Thanks,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The following people were present at the DC6 keysigning party and used
photocopies provided to them by a third party with the md5 checksum
pre-filled for them.  This leaves doubt to the validity of their
assertion that the checksum of the file they received containing their 
proper fingerprint matches the checksum read off publically at the 
keysigning party.


036a  [ ] Fingerprint OK        [ ] ID OK
pub   1024D/C97E7015 2005-08-15
      Key fingerprint = 66CB 6BF4 7C7C EC0E DA60  06C8 87E8 9061 C97E 7015
uid                  Ernesto Nadir Crespo Avila (seraph) <ecrespo@ujap.edu.ve>
uid                  Ernesto Crespo (seraph1) <ecrespoa@yahoo.es>
uid                  Ernesto Nadir Crespo Avila (seraph1) <ecrespo@uc.edu.ve>
uid                  Ernesto Nadir Crespo Avila (seraph1) <ecrespo@debianvenezuela.org>
uid                  Ernesto Nadir Crespo Avila (seraph1) <ecrespo@cantv.net>
uid                  Ernesto Nadir Crespo Avila (seraph1) <ecrespo@gmail.com>

040a  [ ] Fingerprint OK        [ ] ID OK
pub   1024D/BD76E77F 2005-08-12 [expires: 2007-08-12]
      Key fingerprint = F899 5A87 C648 3F38 5107  79F1 B97B 7C4D BD76 E77F
uid                  Ralph Amissah <ralph.amissah@gmail.com>
uid                  Ralph Amissah <ralph@amissah.com>

041a  [ ] Fingerprint OK        [ ] ID OK
pub   1024D/D626ABB6 2004-08-02 [expires: 2007-08-02]
      Key fingerprint = D02D 8C0C ADBB A69B BF0F  6EAD B2B0 5F45 D626 ABB6
uid                  Marcela Tiznado <mtiznado@linux.org.ar>

045a  [ ] Fingerprint OK        [ ] ID OK
pub   1024D/6A372DF6 2005-03-01
      Key fingerprint = DB71 A7A1 3DB2 9A5A 3A40  63DF 75DC A23C 6A37 2DF6
uid                  V�or P�z Pereira <vperez@debianvenezuela.org>

046a  [ ] Fingerprint OK        [ ] ID OK
pub   1024D/5FA99A33 2004-04-11
      Key fingerprint = 368E E49F E9F7 F7B8 94C6  BD9E 724F BDA3 5FA9 9A33
uid                  Orlando Fiol <fiolorlando@gmail.com>
uid                  Orlando Fiol (overflow) <fiolorlando@cantv.net>
uid                  Orlando Fiol <ofiol@ikirux.com.ve>

047a  [ ] Fingerprint OK        [ ] ID OK
pub   1024D/0E60DFAD 2005-11-11
      Key fingerprint = D26B B5F1 2531 23B2 2846  65B5 5A66 27B6 0E60 DFAD
uid                  Manuel Garcia Fernandez (mannyto) <mannyto@gmail.com>

074a  [ ] Fingerprint OK        [ ] ID OK
pub   1024D/3F382AFA 2006-03-31
      Key fingerprint = 997A 416F 8229 8DB2 6BFC  C1D6 A65F D7AF 3F38 2AFA
uid                  Ivan Alfredo Zenteno Aguilar (Creada el 31 de Marzo del 2006 a las 2:04pm) <k001.operator@gmail.com>

090a  [ ] Fingerprint OK        [ ] ID OK
pub   1024D/4E2ECA5A 2004-09-08
      Key fingerprint = CA4F D469 C047 165A 1A55  CCD7 5E6D EF1C 4E2E CA5A
uid                  Moritz Muehlenhoff <jmm@debian.org>
uid                  Moritz Muehlenhoff <jmm@inutil.org>

093a  [ ] Fingerprint OK        [ ] ID OK
pub   1024D/A504FECA 2006-03-19
      Key fingerprint = C426 23B7 60FA 5999 693F  0782 690D 6214 A504 FECA
uid                  Tiago Bortoletto Vaz <tiagovaz@gmail.com>
uid                  Tiago Bortoletto Vaz <tiago@debian-ba.org>

098a  [ ] Fingerprint OK        [ ] ID OK
pub   1024D/1D1D1702 2005-07-11
      Key fingerprint = 271F 84DF D041 734D 7E99  BC03 C40A D37B 1D1D 1702
uid                  Tassia Camoes Araujo <tassia@debian-ba.org>

113a  [ ] Fingerprint OK        [ ] ID OK
pub   1024D/F3E857E7 2006-02-15
      Key fingerprint = B6F9 6F37 3A15 7D95 EA32  2E09 8DCC A2F1 F3E8 57E7
uid                  Patricia de Vasconcelos Felix (chave para DebConf) <patyfelix02@yahoo.com>

116a  [ ] Fingerprint OK        [ ] ID OK
pub   1024D/7D33D13F 2006-05-04
      Key fingerprint = E481 02CC 2065 6CD2 DCFF  2D8F A0F5 A0E8 7D33 D13F
uid                  Ana Isabel Delgado Dom�uez <anubis@debianvenezuela.org>

121a  [ ] Fingerprint OK        [ ] ID OK
pub   1024D/9741C03A 2004-11-19
      Key fingerprint = 1764 3C6F B433 B2DD 9029  98B1 8E6B 58D3 9741 C03A
uid                  Erick Ivaan Lopez Carreon (www.fsl.org.mx) <erick@fsl.org.mx>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEdAcMKN6ufymYLloRAh0hAJ4qBq8MYRlLICm4VG1PBkDF2pOGBwCeMthh
8av0h0xvcarQTUCwOh5wdpA=
=1RIT
-----END PGP SIGNATURE-----

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: [Debconf-discuss] Follow-up: additional checks you can do [was: KSP post-mortem: why I won't be able to sign some keys]
  - From: Moritz Muehlenhoff <jmm@inutil.org>

References:
- [Debconf-discuss] KSP post-mortem: why I won't be able to sign some keys
  - From: Steve Langasek <vorlon@debian.org>

Prev by Date: [Debconf-discuss] KSP post-mortem: why I won't be able to sign some keys
Next by Date: Re: [Debconf-discuss] move schedule to wiki.d.o
Previous by thread: [Debconf-discuss] KSP post-mortem: why I won't be able to sign some keys
Next by thread: Re: [Debconf-discuss] Follow-up: additional checks you can do [was: KSP post-mortem: why I won't be able to sign some keys]
Index(es):
- Date
- Thread