[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Debconf-discuss] GPG keysigning?

On Mon, Jun 22 2009, martin f krafft wrote:

> Does it matter whether I have a passport that carries my name, or
> whether the name on my key, with which I consistently identify
> myself in Debian, is actually my own name? Why would anyone care?

        This is getting silly enough that we probably want to back off a
 bit and examine what we really want to do here.

        So, I see a reason for having a gpg sig signed by other people
 is accountability: we want to tie a online persona to a real person in
 some way (if not, there is no point in signing keys; you just make
 every contributor sign with whatever keys they want, and just let that
 key owner build up a trust in their competence/integrity/homage to the
 holy penguin pee/whatever.

        You can send in your own signed message saying you have known
 the work signed by key foo for years, and you trust the owner of that
 key to turn in goodly work, and you think the owner of that key has the
 technical chops to belong to Debian, whatever. The key owner, of they
 change their key, will lose a lot of that trust the old key built,
 unless they can prove the new key owner is the same as the old key
 owner -- which means that we need to tie the keys together somehow. Of
 course, an interesting means of doing so is to somehow tie the key to a
 real person (heh).

        This is all that is really needed for the integrity/trust of the
 work produced by a keys owner.

        However, if you want to tie that key owner to a real person, to
 somehow (my speculation) bring down the wrath on the community on
 someone who does something nasty or  subverts the DMUP or causes the FSM
 to weep, well, you need the meet and greet and key signing
 stuff. Smiting evil dooers seems to be the major cause that justifies
 this exerciser, since otherwise the person can just dump their key,
 change their email, and get away scot free. Hard to smite them then.

        Now really, we want to tie the key to a person -- even if they
 resleeve (a. la. Altered Carbon, [0]). Thankfully, releeving is not
 (yet) possible, so we don't have to deal with that. All we have to do
 is to tie a key to a real live person, and do it in a fashion that is
 reproducible and testable.

        Traditionally, you establish identity for a person by one or
 more of:
   A) Something they (and only they) have. This is previously issued
      tokens of some kind (passports, id cards, secure tokens,
      etc). There are three things needed to make this even the least bit
      1) You need to trust the process of deploying the thing they have;
         someone must establish in some manner who the person is, before
         the token is given out
      2) The token should not be easily duplicated, stolen, and
         reused. This requires some care on the part of the token holder
      3) You can actually verify that the token is genuine and decipher
         who the token was issued to without being spoofed.
   B) Something that the person is. Biometrics, etc. Again, the caveats
      apply about spoofing, and trusting you know what it is that the
      person is supposed to be (is it really Mr X's retina scan I am
      trying to match?)
   C) Something they know. Shared  secrets, passwords, knowledge of
      events past you and the person knows, and no one else could.

        Madduck seems to put a whole lot of unjustified confidence in C)
 above.  You might think you know the person pretending to be Mr X, but
 really, most of us at debconf have done little to verify C to any
 degree of reliability. If all you can say is that person owns that
 email address, why are you even bothering to have a signing party? You
 don't need it to ascertain that a key owner controls an email address
 by some other persons signature; just send a encrypted message to that
 email address and ask for a reply. Done.

        So, A. Now, most countries where people are allowed to come to
 my country from have to demonstrate a process by which they issue
 travel documents to their citizens, and I have established for myself
 that if  it meets the State departments needs, then !.1 is satisfied
 for me.

        A.2 is somewhat harder, but  being careless about your travel
 documents has real world consequences, and most countries whose
 citizens can travel to mine have made travel docs hard to
 duplicate. Not impossible, but hard.
        A.3 seems to be the part which receives most criticism; I can
 surely be spoofed by a well forged travel document. But it does raise
 the bar for someone who needs my signature, and I think it meets my
 threshold of return on effort to sign the key, and put a modicum of
 trust in the assertion that we have nailed that key to a real human

        So while signing keys is not about governments, as Russ said, it
 is about establishing identity, and government issued identity
 documents are better proxies for establishing that than I can be
 bothered to do myself.

        And, on my day job, people will fall over laughing about basing
 identity on what someone says often enough over a period of time with
 no further checks. And yes, my tummy still hurts.


[0]: http://www.goodreads.com/book/show/40445.Altered_Carbon
Subtlety is the art of saying what you think and getting out of the way
before it is understood.
Manoj Srivastava <srivasta@acm.org> <http://www.golden-gryphon.com/>  
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

Reply to: