[Debconf-discuss] Re: Please revoke your signatures from Martin Kraff's keys
On Sun, May 28, 2006 at 10:37:39PM -0500, Manoj Srivastava wrote:
> On 27 May 2006, martin f. krafft spake thusly:
> > From within the project, what matters is that everything you do
> > within the project can be attributed to one and the same person: the
> > same person that went through our NM process. The GPG key is one
> > technical measure to allow for this form of identification. Its
> > purpose is not, as Micah Anderson states, a means to confirm the
> > validity of a government-issued ID.
>
> A GPG key that can not be traced to a real person who has
> introduced a trojan into Debian and has stolen valuable data
> (perhaps, just as another "test" to prove how stupid people are to
> trust Debian), is worth less than a key that can implicate a real
> person, and perhaps mitigate some damage done by the attack.
You're making fun of yourself.
If someone willingly introduces a trojan into Debian, and they did so by
means of a GPG key bearing their own name, then we have no more or less
problems than when this would happen if done by means of a GPG key
bearing the name of 'Poo', the teletubbie. The fact that my key does
indeed bear my own name does not in any way 'mitigate' anything that I
might perhaps do to harm the Project (not that I in any way intend to do
so). The problem would exist, the damage would be done, and it would be
a real-world problem whether or not we would be able to point fingers.
Then there's the issue of tracing who did an actual upload into the real
world. A name on a GPG key is not, by any means, an effective way to do
that, since it does not contain enough information to get out the black
helicopters. Case in point:
<http://www.volleyteam-roeselare.be/spelers/verhelst.htm>
I am not a professional volleybal player who make appearances on TV.
However, this person is, and he bears my name. It is written exactly the
same way. By way of a name on a GPG key _only_, you would be able to
trace anything I might have done to me; but it's just as likely that you
would trace it to this person instead.
What you really need is a way to link a name to an actual person. A GPG
key is not an effective means to do that. If you really want to link a
person's name to a GPG key, then a far more effective way of doing so is
looking at a person's email address (which is globally unique, unlike a
name), contacting the person in charge of the mail server, log the IP
addresses that fetch mail for that person, and contact the owner of the
netblock to find out the snail mail address or phone number of the
person involved.
In other words, I will not object to signing someone's GPG key if it
only contains a nickname rather than an official name (though I might
have second thoughts), but I will _not_ sign _any_ uid on a key of which
I have not personally verified that the person reading the email address
has access to the key.
> > In my eyes, this is exactly what a keysigning is and should be all
> > about: a statement of familiarity with a person, nothing more and
> > nothing less. And as a project, we should either accept that, or
> > find a better way to identify our developers.
>
> This is also silly --- what is the trust path he has to the
> crackers identity? Say, some person walks up to a LUG or linuxtag or
> debconf and says, "Hi, I am Donal Duck". He proceeds to talk about
> free software, goes out for drinks, and tells a fine tale. He does
> so again a year later, again calling himself Donal Duck.
This scenario seems highly unlikely.
I expect that anyone willing to work a whole year on building up trust
with people he intends to defraud would be just as willing to pay the
amount of money required to acquire counterfeited, but real-looking, ID
cards.
You are not the CIA, and even they are unable to say with 100% certainty
that people are who they claim to be. I suggest you let it go.
--
Fun will now commence
-- Seven Of Nine, "Ashes to Ashes", stardate 53679.4
Reply to: