On Sat, May 20, 2006 at 12:47:29AM +1000, Aníbal Monsalve Salazar wrote: >On Wed, May 17, 2006 at 02:46:42AM +1000, Aníbal Monsalve Salazar wrote: >>I'll compile an additional list of people who couldn't have their >>keys on the primary list. Please send your key(s) as explained at >>[0] or, alternatively at [2] not later than Thursday, 18th of May, >>2006, Oaxtepec time. > >Neil McGovern will print 140 copies of the additional list. I also >have spare copies of the main list. They were printed by Graham Wilson. >BIG NOTE: You don't have to trust my copies or those printed by >Neil. You must download the original files from [0] or [2], >visually compare them against the copies from Neil/me, also download >the md5/sha1 cheksums and verify them, and finally download the >signed files and verify my signature. As I wrote, please you don't have to trust either me nor Graham Wilson. All points raised by vorlon below are valid. On Tue, May 23, 2006 at 10:26:34PM -0700, Steve Langasek wrote: >Hi folks, > >Now that I'm no longer in the middle of the act of *exchanging* >fingerprints, nor am I scurrying around trying to arrange cooking space for >dinner, I think I owe some people a more detailed explanation of why there >are some keys I won't be signing. :) > >The normal keysigning protocol for this kind of party works like this: > >1. everyone is mailed a copy of the sheet for the keysigning. >2. each person verifies that the fingerprint shown for their own key is > correct in this file. >3. each person takes the checksum of the file they received in email, records > it, and brings it with them to the KSP. >4. the "correct" checksum of the file is read aloud in front of the group by > one of the participants. >5. participants pair off, exchanging IDs and verbally confirming to each > other that the file they received in the mail contained the correct > fingerprint for their key and that the checksum matched the one read out > in front of the group. > >What actually happened to a number of people in this KSP was: > >3. the person brings with them to the KSP a copy of the email, printed for > them by someone else, with the checksum *filled in by someone else*. > >The problem with this is that I, as a potential keysigner, can see that the >checksum on the paper they are holding was *not* written by them, therefore >I do *not* know that the person I am exchanging with has properly verified >before coming to the KSP that the checksum of the file they received in >email is the same as the checksum that was read off in the group. It is >*possible* that they have done this, but there is a very high probability >that many of those using photocopies did not do so. This opens up the >following attack vector: > >1. the KSP organizer knows in advance the identities of a number of people > who don't have printers and will be accepting copies of the paper from > him. >2. the KSP organizer emails a file containing correct fingerprints to those > participants. >3. the KSP organizer emails a file containing fingerprints for *substituted* > keys to everyone else. >4. the KSP organizer prints out the file containing the correct > fingerprints, and writes down on it the checksum of the file containing > the incorrect fingerprints. >5. the victim claims to have verified a checksum that they did not. >6. the fraudulent key is signed, allowing the KSP organizer to impersonate > the victim to the community. > >Now, some people may have done this check correctly in spite of using a >printed copy, but in a large KSP with many novices I am simply not willing >to trust that this is the case. Heck, *I* got the rationale wrong for this >check when arguing with people at the time (sorry, Bdale and Andreas :), and >I think I'm pretty darn smart, so if I got it wrong, I'm not going to trust >blindly that other people got it right. ;) > >For this reason, I told people that I saw had such photocopies that I would >not be signing their key based on this checksum. If I had thought it >through more clearly, I might have asked them whether they had checked the >file's checksum directly on their own computers and used this as >confirmation. As it was, I instead requested that anyone with these >photocopies that wanted me to sign their key exchange fingerprints with me >later, because the 50 seconds allowed per person by the KSP schedule was not >enough time to exchange full fingerprints with each person by hand in the >line. > >Of course, since I left DebConf that night, few people were able to exchange >fingerprints with me. I'm sorry that this will leave some of you without >signatures from me; but even though the probability of Anibal trying to >compromise the web of trust in this fashion is quite small, my signatures >would not add positive value to the web of trust if I signed your keys based >on the trustworthiness of any third party. Other people should be free to >decide for themselves whether they trust Anibal's signatures, instead of >having to implicitly trust Anibal by trusting my signatures. > >So if you don't get a signature from me this year, come to DebConf again >next year and this time don't let Anibal fill out the checksum for you. :) > >-- >Steve Langasek Give me a lever long enough and a Free OS >Debian Developer to set it on, and I can move the world. >vorlon@debian.org http://www.debian.org/ Best Regards, Aníbal Monsalve Salazar -- http://v7w.com/anibal
Attachment:
signature.asc
Description: Digital signature