Re: [Debconf-discuss] KSP post-mortem: why I won't be able to sign some keys
Aníbal Monsalve Salazar wrote:
> As I wrote, please you don't have to trust either me nor Graham
> Wilson. All points raised by vorlon below are valid.
There's another disappointing thing on the KSP last week. Well, a
couple.
I know most of the local people (or some other minorities who are not
used to large KSP) doesn't understand how KSP are organized, how they
are made. More information regarding this should be done, it is a
completely pain in the ass having people making huge gaps because they
don't understand or remember what they should do (Moray could remember
this when the KSP started, as I explained desperately in Spanish, a
local person what he should do it). I know this is not on our hand, but
something should be done to prevent this stuff to happen. That first guy
in front of me wasn't the only one in this situation. I guess I'm making
a personal policy to not sign any key generated in less than 6 months.
Otherwise, I don't trust enough if the other person really understands
what a signing exchange is.
Another dissappointing fact is that some of the people who were at the
KSP, also signed some of them who weren't. I know this from a first hand
contact who didn't attend the party (he was in the list, though), and
received his signed key by mail (and he didn't exchange IDs with anybody
before or after the KSP, he didn't do any key exchanging or anything at
all, and he _did_ get some signed keys), probably by four or five
persons, as I was told. That makes me completely skeptical on attending
any KSP in the future, what's the point if people don't understand what
they are doing or if people don't really care to whom they sign keys?
Where does the web of trust really end?
> >5. the victim claims to have verified a checksum that they did not.
> >6. the fraudulent key is signed, allowing the KSP organizer to impersonate
> > the victim to the community.
That's a shame actually. I know some of the guys around me asking me to
repeat the MD5 sum that madduck have just said loud, so they could write
it down since a) they didn't understand a character or got lost, or b)
they don't understand a bit of English to get the characters dictated.
Then why should I trust those persons? And I bet all of them confirmed
to have checked fingerprint and the MD5 sum of the file while signing,
as a robot process without understand everything happening around them.
I also get to one person which, by joking, I asked his passphrase and he
started to read his fingerprint. That only shows some of the people
don't understand what GPG/PGP is and confuses terms and the like.
> >So if you don't get a signature from me this year, come to DebConf again
> >next year and this time don't let Anibal fill out the checksum for you. :)
When the additional printouts were ready, I was in Oaxtepec and couldn't
print it personally at home or office. I asked gram if they (the orga
team) had an available printer I could use. He asked me what I needed to
print and I said that the additional KSP printout. He replied that
Anibal would have some printouts available for everybody and since I
don't really like all this issue on getting the papers by 3rd parties
I told him I'd prefer to print it myself. After a few attempts to print,
I couldn't do it, since the printer was broken/out of something and I
had to fall back into the Anibal additional printouts (those who weren't
signed manually by him). That makes me thing on something: a) Not
additional list should be generated, and b) If people don't bring the
printouts verified at home previously, they couldn't attend the KSP.
Just my 2 pesos cents :)
--
David Moreno Garza <damog@damog.net> | http://www.damog.net/
<damog@debian.org> | GPG: C671257D
Imagine a large red swirl here.
Reply to: