[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Debconf-discuss] KSP post-mortem: why I won't be able to sign some keys



On Sat, May 20, 2006 at 12:47:29AM +1000, Aníbal Monsalve Salazar wrote:
>On Wed, May 17, 2006 at 02:46:42AM +1000, Aníbal Monsalve Salazar wrote:
>>I'll compile an additional list of people who couldn't have their
>>keys on the primary list. Please send your key(s) as explained at
>>[0] or, alternatively at [2] not later than Thursday, 18th of May,
>>2006, Oaxtepec time.
>
>Neil McGovern will print 140 copies of the additional list. I also
>have spare copies of the main list.

They were printed by Graham Wilson.

>BIG NOTE: You don't have to trust my copies or those printed by
>Neil. You must download the original files from [0] or [2],
>visually compare them against the copies from Neil/me, also download
>the md5/sha1 cheksums and verify them, and finally download the
>signed files and verify my signature.

As I wrote, please you don't have to trust either me nor Graham
Wilson. All points raised by vorlon below are valid.

On Tue, May 23, 2006 at 10:26:34PM -0700, Steve Langasek wrote:
>Hi folks,
>
>Now that I'm no longer in the middle of the act of *exchanging*
>fingerprints, nor am I scurrying around trying to arrange cooking space for
>dinner, I think I owe some people a more detailed explanation of why there
>are some keys I won't be signing. :)
>
>The normal keysigning protocol for this kind of party works like this:
>
>1. everyone is mailed a copy of the sheet for the keysigning.
>2. each person verifies that the fingerprint shown for their own key is
>   correct in this file.
>3. each person takes the checksum of the file they received in email, records
>   it, and brings it with them to the KSP.
>4. the "correct" checksum of the file is read aloud in front of the group by
>   one of the participants.
>5. participants pair off, exchanging IDs and verbally confirming to each
>   other that the file they received in the mail contained the correct
>   fingerprint for their key and that the checksum matched the one read out
>   in front of the group.
>
>What actually happened to a number of people in this KSP was:
>
>3. the person brings with them to the KSP a copy of the email, printed for
>   them by someone else, with the checksum *filled in by someone else*.
>
>The problem with this is that I, as a potential keysigner, can see that the
>checksum on the paper they are holding was *not* written by them, therefore
>I do *not* know that the person I am exchanging with has properly verified
>before coming to the KSP that the checksum of the file they received in
>email is the same as the checksum that was read off in the group.  It is
>*possible* that they have done this, but there is a very high probability
>that many of those using photocopies did not do so.  This opens up the
>following attack vector:
>
>1. the KSP organizer knows in advance the identities of a number of people
>   who don't have printers and will be accepting copies of the paper from
>   him.
>2. the KSP organizer emails a file containing correct fingerprints to those
>   participants.
>3. the KSP organizer emails a file containing fingerprints for *substituted*
>   keys to everyone else.
>4. the KSP organizer prints out the file containing the correct
>   fingerprints, and writes down on it the checksum of the file containing
>   the incorrect fingerprints.
>5. the victim claims to have verified a checksum that they did not.
>6. the fraudulent key is signed, allowing the KSP organizer to impersonate
>   the victim to the community.
>
>Now, some people may have done this check correctly in spite of using a
>printed copy, but in a large KSP with many novices I am simply not willing
>to trust that this is the case.  Heck, *I* got the rationale wrong for this
>check when arguing with people at the time (sorry, Bdale and Andreas :), and
>I think I'm pretty darn smart, so if I got it wrong, I'm not going to trust
>blindly that other people got it right. ;)
>
>For this reason, I told people that I saw had such photocopies that I would
>not be signing their key based on this checksum.  If I had thought it
>through more clearly, I might have asked them whether they had checked the
>file's checksum directly on their own computers and used this as
>confirmation.  As it was, I instead requested that anyone with these
>photocopies that wanted me to sign their key exchange fingerprints with me
>later, because the 50 seconds allowed per person by the KSP schedule was not
>enough time to exchange full fingerprints with each person by hand in the
>line.
>
>Of course, since I left DebConf that night, few people were able to exchange
>fingerprints with me.  I'm sorry that this will leave some of you without
>signatures from me; but even though the probability of Anibal trying to
>compromise the web of trust in this fashion is quite small, my signatures
>would not add positive value to the web of trust if I signed your keys based
>on the trustworthiness of any third party.  Other people should be free to
>decide for themselves whether they trust Anibal's signatures, instead of
>having to implicitly trust Anibal by trusting my signatures.
>
>So if you don't get a signature from me this year, come to DebConf again
>next year and this time don't let Anibal fill out the checksum for you. :)
>
>-- 
>Steve Langasek                   Give me a lever long enough and a Free OS
>Debian Developer                   to set it on, and I can move the world.
>vorlon@debian.org                                   http://www.debian.org/

Best Regards,

Aníbal Monsalve Salazar
-- 
http://v7w.com/anibal

Attachment: signature.asc
Description: Digital signature


Reply to: