Re: [Debconf-discuss] KSP post-mortem: why I won't be able to sign some keys

To: Holger Levsen <debian@layer-acht.org>
Cc: debconf-discuss@lists.debconf.org
Subject: Re: [Debconf-discuss] KSP post-mortem: why I won't be able to sign some keys
From: Manoj Srivastava <srivasta@acm.org>
Date: Thu, 25 May 2006 12:49:00 -0500
Message-id: <[🔎] 871wuigflf.fsf@glaurung.internal.golden-gryphon.com>
In-reply-to: <[🔎] 200605251504.59734.debian@layer-acht.org> (Holger Levsen's message of "Thu, 25 May 2006 15:04:53 +0200")
References: <[🔎] 20060524052634.GB3701@mauritius.dodds.net> <[🔎] 200605251504.59734.debian@layer-acht.org>

On 25 May 2006, Holger Levsen stated:

> Hi,
>
> while I agree that flaws in the actual protocol being used are
> problematic and worth pointing out, I wonder much more why people
> aren't more worried about how people use their computers: (double
> booting windows and) not using encrypted partitions, leaving there
> computers unlocked while being away, using binary only (non-free)
> software, running experimental packages from various sources
> (assuming that sid, testing and stable are safe..), etc. This
> potentially exposes the integrity of the private key, not only the
> integrity of signatures - which later can be revoked anyway.

        I have given up on that.  People insist on using their keys on
 networked computers, they even leave them lying around on _public_
 machines over which they have little control.

        If I were to insist on proper key security protocols, there
 would be a small handlful of people who would qualify.

> After a talk about the problems with gpg's web of trust at 22C3
> (e.g. in what do you put trust when you sign a key? the person being
> the person or her/his ability to keep his private key private or his
> ability to sign other peoples keys ?

        Lacking proper psychic abilities, I can't honestly give my
 word on the latter.

> Having said this, I also do believe that any step to create a bit
> more trust is a worthwhile one. We should just never forget, that
> _we_ don't sign stuff with gpg, it's our computer who does the
> signing. And this is completly different from "real" signatures.

        I have never signed anything in reality. It is either a
 computer, or a pen, doing the "signing". Do you have a point about
 people being poor at any form of signing if no tools are used?

        manoj
-- 
I have been insulted! I have been hurt! I have been beaten! I have
been robbed! Anger does not cease in those who harbour this sort of
thought. 3
Manoj Srivastava   <srivasta@acm.org>  <http://www.datasync.com/%7Esrivasta/>
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

Reply to:

Follow-Ups:
- Re: [Debconf-discuss] KSP post-mortem: why I won't be able to sign some keys
  - From: Enrico Zini <enrico@enricozini.org>
- Re: [Debconf-discuss] KSP post-mortem: why I won't be able to sign some keys
  - From: Holger Levsen <debian@layer-acht.org>

References:
- [Debconf-discuss] KSP post-mortem: why I won't be able to sign some keys
  - From: Steve Langasek <vorlon@debian.org>
- Re: [Debconf-discuss] KSP post-mortem: why I won't be able to sign some keys
  - From: Holger Levsen <debian@layer-acht.org>

Prev by Date: Re: [Debconf-discuss] Re: Please revoke your signatures from Martin Kraff's keys
Next by Date: Re: [Debconf-discuss] Re: Please revoke your signatures from Martin Kraff's keys
Previous by thread: Re: [Debconf-discuss] KSP post-mortem: why I won't be able to sign some keys
Next by thread: Re: [Debconf-discuss] KSP post-mortem: why I won't be able to sign some keys
Index(es):
- Date
- Thread