Dear Manoj, dear fellow DDs, I guess I could have known that this experiment of mine would turn into a huge thread, unfortunately extending across two mailing lists. Thus, it is surely in order for me to apologise for being the cause that your inboxes filled up. I have said most of what I wanted to say in my blog entry [0], even though I could have articulated and backed up my arguments a bit better. I will try to do better this time, but it will be my only message to this thread, unless the subject of followups is changed and indicates an actually relevant topic (at which point in time it's a new thread...). Please note, however, that I am leaving Mexico tomorrow and will be away from my mail more or less until Monday. 0. http://blog.madduck.net/geek/2006.05.24-tr-id-at-keysigning First of all, my name is Martin Felix Krafft (with a final 't'), and my GPG key ID is 0x330c4a75. The unofficial ID I presented listed that name (without the middle name), a photo is available from [1] (sorry, can't do better now). Thus, the ID card is an unofficial card, but the identity it claims is my real identity, not a fake one. To me, this is an important distinction in the context of this discussion. 1. http://madduck.net/~madduck/scratch/tr-id.jpg Key numbers 1-102, as well as 123-140 got to see my unofficial ID (if they were present). Those who didn't accept the ID surely remember being showed an official one I had in my pocket. I have indicated in my blog posting that GPG allows you to revoke signatures from keys, and I included that information exactly because I wanted to make it easier for people to undo the signing if they felt cheated. In any case, it should be the decision of each and every individual whether to revoke his/her signatures on my key. A public call as in this case is especially inappropriate IMHO, because noone can actually define the proper baseline for identity verification at keysigning parties. For your information, to date, not a single signature has been revoked. Before I respond to a few of the issues and questions raised in the thread, let me present my view of the problem. I would like to thank my travelling companions for helping me straighten it out. The Debian project heavily relies on keysigning for much of its work. However, I think the question what the signing of a key actually accomplishes has not been properly addressed. In my opinion, from the point of view of the Debian project, a person's actual identity (as in the name on your birth certificate) matters very little; the Debian project does not actively interfere with a person's real life in such a way as to require the birth certificate identity (legal cases, liability issues, etc.). Moreover, it's rather trivial in several countries of this world to change your official name. In this context, even the claim that in the case of a trust abuse, your reputation throughout the FLOSS community (and the rest of the Internet) should be properly tarnished, does not stand, IMHO. From within the project, what matters is that everything you do within the project can be attributed to one and the same person: the same person that went through our NM process. The GPG key is one technical measure to allow for this form of identification. Its purpose is not, as Micah Anderson states, a means to confirm the validity of a government-issued ID. This brings me to a point which Andreas Schuldei nicely stated at the beginning of the thread (as did others throughout): > I do not need an ID to identify martin, so i dont need to rely on > his (forged or real) passport or other id from him in order to > sign his key. If you did not know him before you should not sign > his key (if your judgement was based on the unofficial ID). When Andreas signs my ID, he voices his trust in that I am who I claim to be, and he does so not because I presented him with an ID with the claimed name, but because we've interacted many times before. In that line, Gunnar's point stands: > Maybe we should just drop holding KSPs, and fall back to the > traditional method of "Hey, nice dinner we had yesterday. Say, now > that you know me, my family and my history, would you like to sign > my key as well?" - Signing for people you actually know, not just > linking In my eyes, this is exactly what a keysigning is and should be all about: a statement of familiarity with a person, nothing more and nothing less. And as a project, we should either accept that, or find a better way to identify our developers. So what to do in this very situation? Should you revoke your signature from my key (or not even sign it in the first place)? Should you revoke or refuse signatures to all participants, because some claim the keysigning party to have been subverted? I think the answer to both cases should be: no, unless you have not previously known the person whose key you wish to sign. That's exactly what makes this decision very subjective, and a public call such as the original post rather unnecessary and missing the point. Now for a few of the issues and questions raised in this thread: also sprach Manoj Srivastava <srivasta@debian.org> [2006.05.25.0236 -0500]: > It has come to my attention that Martin Kraff used an > unofficial, and easily forge-able, identity device at a large key > signing party recently. I do not think the ID I presented is easily forgeable. And it cannot be bought. It is issued by the ID issuing authority of the Transnational Republic, and it requires bureaucratic paperwork, including the verification of an official ID. You claim throughout your posts that this ID can be purchased at will. I would appreciate if you'd try even just to get an ID in your name; I will cover all your expenses towards the Transnational Republic. Part of the outcome of my experiment is that I want to draw people's attention to what an official and unforgeable ID really is. If you draw the line of standard too high, you should have to ask yourself the question whether an ID is forgeable every time you inspect one. And the question as to whether it is an official ID can only be answered if you know exactly what the respective nation's ID looks like *and* you trust the issuing authority. From the evidence I've seen so far, this would make it impossible for anyone with unreasonable standards to sign most any other key. > Presenting essentially a fake ID is an act of bad faith that > leads one to wonder how many of the other key signing parties he has > attended did he present a false ID? I have done this experiment twice before: at the 10th Debian anniversary in Zurich, as well as on the LinuxTag 2005 keysigning. I did not have a blog back then or else I would have published the results earlier, for I didn't know of another medium that I deemed appropriate. The outcome was more or less the same in all cases: only 10% noted the unofficial ID and inquired about it. also sprach Manoj Srivastava <srivasta@acm.org> [2006.05.25.1616 -0500]: > The Next time that key signs a NM candidates key, and that sig > is used to get someone into Debian, privileges would have been > granted from a tainted signature. There are plenty of signatures by DDs who know exactly what kind of ID I can and should have on my key. No signature can taint a key that's already sufficiently connected. also sprach Mike Hommey <mh@glandium.org> [2006.05.25.1726 -0500]: > Manoj, how do *you* ensure the ID that someone presents you is a proper, > official ID ? Or, given your admittedly favourable protocol of requiring two IDs, how do you ensure that both IDs are proper and official? also sprach Steve Langasek <vorlon@debian.org> [2006.05.25.1831 -0500]: > Where is the indignant outrage towards those 9 out of 10 > keysigners who apparently had no objection to signing a key based > on a trumped-up ID card with no legal validity? If you really > care about the strength of our web of trust, *they* are who should > be named and shamed here. Should they really? Shouldn't we rather, as a project, put keysigning into the light into which it belongs and start working from there? I don't think we can cure the human error here for good. > The whole reason we have an ID check in the first place as part of > the standard keysigning practice is that we do *not* trust people > to be who they say they are: if I'm doing what I'm supposed to as > a key signer, then I'm not vulnerable to attacks based on > trivially-falsified IDs. If I'm not doing what I'm supposed to, > the only person I have reason to be mad at is myself. If I (or > anyone else) can't be trusted to directly and personally verify > the ID of the person whose key I'm (they're) signing, then my > (their) keys add no value at all to the web of trust. It is > better to have no signatures than to have weak signatures > pretending to be worth something. > > I applaud your personal decision to revoke signatures for this KSP > based on your doubts regarding the efficacy of your own ID checks > under these circumstances, but I don't think it's appropriate for > you to accuse Martin of wrongdoing. I could not have put this better. Thank you, Steve. also sprach Agustin Martin <agmartin@debian.org> [2006.05.25.1845 -0500]: > Martin, but in a more subtle (and dangerous) way. The only think I can > complain about Martin is for not putting shame on those that were to > sign his key just before signing, so others learn. I do not consider myself in the position to do so as I certainly want to put people on the spot. IMHO, it's not their fault, as others have argued. A two hour marathon drains everyone's concentration, and pointing the finger at some won't do anything. Instead, we should work on making sure to find a protocol that protects the web of trust from human error. I imagine an improved protocol for the keysigning, which is based on an idea I overheard after the party (and someone mentioned it in the thread): instead of the everyone-signs-everyone approach, it might be interesting to investigate forming groups (based on connectivity statistics) such that everyone's mean distance in the web of trust can be increased by a fair amount in a short amount of time. At the same time, such circles could be used for education by those with high connectivity (and thus much experience). The problem here is of course the somewhat unreliable attendance of people. Comments welcome. also sprach Javier Fernández-Sanguino Peña <jfs@computer.org> [2006.05.25.1300 -0500]: > FWIW, I noted down those keys I would *not* sign and didn't tell > the people at the KSP that I would not sign them. I guess his > experiment "only one in ten said that they would *not* sign it" is > moot unless he backs it up with the signatures he eventually got > sent from those he showed a wrong ID to. Out of curiosity, did you mark my key to be "questionable"? The point you raise is a valid one. However, given how many people just don't sign keys after keysignings, the data would be skewed in the other direction. I do not yet understand why some people do not confront those with questionable IDs. Maybe you can shine some light on that. also sprach Manoj Srivastava <srivasta@debian.org> [2006.05.25.1146 -0500]: > All this means is that his crack was well put together with > credible looking fake ID's that would fool most people checking the > ID's of all the other KSP participants. A clever social engineering > crack, based on the volume of unfamiliar documents people had to > check, and how tired they were. For all that it's worth, I did not plan to conduct this experiment. I remembered in the middle of it and subsequently started it, explaining to those around me what I was doing. also sprach Enrico Zini <enrico@enricozini.org> [2006.05.25.1218 -0500]: > However, from the book you don't get the address of madduck's > home, which is what you want when you have to go and drag him to > jail if he willingly uploads some malicious code. Could you even drag me to jail for anything I do (or don't do) in Debian? Which jurisdiction would be used? Who'd be the prosecutor? What kind of legal claims would actually stand a chance? Thanks for reading along! Greetings from Mexico, -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <madduck@debian.org> : :' : proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system i feel like i'm diagonally parked in a parallel universe.
Attachment:
signature.asc
Description: Digital signature (GPG/PGP)