[Debconf-discuss] Re: Please revoke your signatures from Martin Kraff's keys
On 27 May 2006, martin f. krafft spake thusly:
> Dear Manoj, dear fellow DDs,
>
> I guess I could have known that this experiment of mine would turn
> into a huge thread, unfortunately extending across two mailing
> lists. Thus, it is surely in order for me to apologise for being the
> cause that your inboxes filled up.
Any act of deception, meant to exploit the weaknesses of the
system rather than participating in a key signing in good faith is
likely to have had this effect, yes.
> 0. http://blog.madduck.net/geek/2006.05.24-tr-id-at-keysigning
>
> First of all, my name is Martin Felix Krafft (with a final 't'), and
> my GPG key ID is 0x330c4a75. The unofficial ID I presented listed
> that name (without the middle name), a photo is available from [1]
> (sorry, can't do better now). Thus, the ID card is an unofficial
> card, but the identity it claims is my real identity, not a fake
> one. To me, this is an important distinction in the context of this
> discussion.
Err, so you claim. I have no means of determining if this is
true. The official ID's issued as travel papers have a certain trust
metric: there are international agreements that are enforced when it
comes to travel documents. Each government, in order to allow it's
citizens the right of travel abroad, goes through certain measures to
tie down the papers issued to their citizens, and there are various
standards that are applicable to identity verification. An so called
"unofficial" document, purchased from some unknown entity, which has
not entered into these international agreements, does not carry the
same weight.
The only reason for having a key signed is to associate an
identity, even if indirectly, by proxy, via a government issued
identity document; the tacit understanding is that the cheks and
verification conducted by the governments to meet the international
agreements are "good enough".
Now let me talk about Bubba. Bubba is an entrepreneur, who
has dedicated his professional career to serving the freshmen of
University of Tennessee at Knoxville, in meeting their obligations
and rights as college students to worship at the altar of Bacchus.
On examinations of the Benjamins, and other documents bearing the
imprints various presidents of the United States, he provides you,
after due process, travel documents of various domains and
verisimilitude.
If I were to crack a key signing party, using Bubba's travel
documents, I too would swear up and down the street that he indeed
correctly and diligently verified all kinds of _other_ government
ID's when practising his art.
Any one would have their right to doubt further protestations
from a known cheater: how do we know this is not an further elaborate
test of the credulity of the community at large?
>
> From within the project, what matters is that everything you do
> within the project can be attributed to one and the same person: the
> same person that went through our NM process. The GPG key is one
> technical measure to allow for this form of identification. Its
> purpose is not, as Micah Anderson states, a means to confirm the
> validity of a government-issued ID.
A GPG key that can not be traced to a real person who has
introduced a trojan into Debian and has stolen valuable data
(perhaps, just as another "test" to prove how stupid people are to
trust Debian), is worth less than a key that can implicate a real
person, and perhaps mitigate some damage done by the attack.
>> I do not need an ID to identify martin, so i dont need to rely on
>> his (forged or real) passport or other id from him in order to
>> sign his key. If you did not know him before you should not sign
>> his key (if your judgement was based on the unofficial ID).
>> Maybe we should just drop holding KSPs, and fall back to the
>> traditional method of "Hey, nice dinner we had yesterday. Say, now
>> that you know me, my family and my history, would you like to sign
>> my key as well?" - Signing for people you actually know, not just
>> linking
>
> In my eyes, this is exactly what a keysigning is and should be all
> about: a statement of familiarity with a person, nothing more and
> nothing less. And as a project, we should either accept that, or
> find a better way to identify our developers.
This is also silly --- what is the trust path he has to the
crackers identity? Say, some person walks up to a LUG or linuxtag or
debconf and says, "Hi, I am Donal Duck". He proceeds to talk about
free software, goes out for drinks, and tells a fine tale. He does
so again a year later, again calling himself Donal Duck.
Now, with the help of Bubba, he walks in, and our dear friend
would happily sign the key of young Donal. Knowing the person does
no good for real identity verification if we accept the behaviour of
presenting Bubba's identity papers.
> So what to do in this very situation? Should you revoke your
> signature from my key (or not even sign it in the first place)?
I have not, and never will sign your key, ever again. I don't
trust you to present identity papers that are trustworthy -- unless I
can get a law enforcement official I select to test and verify your
papers, and possibly not then.
> Should you revoke or refuse signatures to all participants, because
> some claim the keysigning party to have been subverted?
Well, yes, since the KSP was indeed subverted, I am not
signing any keys from this event. I am considering not signing keys
from the Debian community, since it apparently condones Bubba ID
papers.
> I think the answer to both cases should be: no, unless you have not
> previously known the person whose key you wish to sign. That's
> exactly what makes this decision very subjective, and a public call
> such as the original post rather unnecessary and missing the point.
Coming from a cracker, I can see no stronger validation for a
key revocation than this statement.
> Now for a few of the issues and questions raised in this thread:
>
> also sprach Manoj Srivastava <srivasta@debian.org> [2006.05.25.0236
> -0500]:
>> It has come to my attention that Martin Kraff used an
>> unofficial, and easily forge-able, identity device at a large key
>> signing party recently.
>
> I do not think the ID I presented is easily forgeable.
Says the person who was presenting an unofficial ID to see how
many people would be fooled into signing it. Why should I trust you
now, having seen you violated my trust once before?
> And it cannot be bought. It is issued by the ID issuing authority of
> the Transnational Republic, and it requires bureaucratic paperwork,
> including the verification of an official ID. You claim throughout
> your posts that this ID can be purchased at will. I would appreciate
> if you'd try even just to get an ID in your name; I will cover all
> your expenses towards the Transnational Republic.
Right, just like Bubba examines all Benjamins proferred to
him.
> Part of the outcome of my experiment is that I want to draw people's
> attention to what an official and unforgeable ID really is. If you
> draw the line of standard too high, you should have to ask yourself
> the question whether an ID is forgeable every time you inspect one.
In the circles I used to move in, yes, purchasing ID's from
Bubba or a nonexistent republic would have been unacceptable, and a
lower standard could have been in effect.
>> Presenting essentially a fake ID is an act of bad faith that leads
>> one to wonder how many of the other key signing parties he has
>> attended did he present a false ID?
>
> I have done this experiment twice before: at the 10th Debian
> anniversary in Zurich, as well as on the LinuxTag 2005 keysigning.
So this was a repeat social engineering explaoit? Kudos.
> I did not have a blog back then or else I would have published the
> results earlier, for I didn't know of another medium that I deemed
> appropriate. The outcome was more or less the same in all cases:
> only 10% noted the unofficial ID and inquired about it.
I know. Social engineering cracks have an unfortunately high
success rate. This is why we still have grifters; people are
naturally trusting.
> also sprach Manoj Srivastava <srivasta@acm.org> [2006.05.25.1616
> -0500]:
>> The Next time that key signs a NM candidates key, and that sig
>> is used to get someone into Debian, privileges would have been
>> granted from a tainted signature.
>
> There are plenty of signatures by DDs who know exactly what kind of
> ID I can and should have on my key. No signature can taint a key
> that's already sufficiently connected.
Err, who know what kind of ID was presented to those poor
sods? I mean, if Steve Langasek can be fooled, so can anyone. I am
merely asking people who have signed your key to re-examine their
recollection and revoke their sigs unless they are dead sure the
documents they examined were official, and had not been tampered.
manoj
--
Bye Bye PDP 10
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/%7Esrivasta/>
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
Reply to: