[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Debconf-discuss] GPG keysigning?

On Mon, Jun 22 2009, Russ Allbery wrote:

> Manoj Srivastava <srivasta@acm.org> writes:

>>         So while signing keys is not about governments, as Russ said, it
>>  is about establishing identity, and government issued identity
>>  documents are better proxies for establishing that than I can be
>>  bothered to do myself.
> Particularly given that if one does need to smite, the process of
> smiting is likely to be done via a goverment, presumably the one that
> issued the identity papers in the first place.  So there is a reasonable
> connection.
> Security is always a tradeoff -- it's just about where you want to put
> the tradeoff between verification work and convenience.  There are a lot
> of things that we could do that other organizations do, like hire
> private investigators to do background checks (which seems to be coming
> routine for employment in the US, at least in a cursory way).  Or we
> could sign keys based on e-mail interactions.
> Meeting in person and exchanging government ID or something that looks
> good enough to fool people is a compromise position, but I do think
> there's a general feeling that it's close to a sweet spot in that
> tradeoff for what we want out of our web of trust.

> Going back to the previous discussion in debian-devel about signing a
> key for which the only IDs are pseudonyms, I personally would do that,
> but only if I knew the person personally and knew they were the person
> who used that pseudonym.  Which means that in the event of smiting being
> necessary, I would personally be able to trace that key to a person.

        The key signing then works for you to keep a marker that you
 know the person behind the key, but it does not help the Debian project
 at large, since you know where to deliver the smite, the current or
 future officers of the project may not (especially if you have lost
 interest and moved on to better things, as happen to people).

        The thing is, your identification scheme fails the
 reproducibility test; there is no way that the person with the  pseudo
 (i.e. lie [0]) name can't reproduce the identification challenge with,
 say, me, or any wider test authority that does not belong to the small
 subset of the people who know the person behind the key well enough to
 make the smiting a viable deterrent,

        The set of people familiar with the travel documents is likely
 to be larger, and there are back channels to the authoritative
 distributors which can be used to deliver the smite to, independent of
 personal shared history with the aforementioned individual.

        Now, Madduck wants us to say that there is no need for this
 broader identity verification mechanism, that oe should just trust him,
 and there shall be a means of smiting evil doers just the same -- but
 after debconf 6 --- his track record for trust on identification
 schemes runs pretty low.  Me, I would like there to be a well
 established identification process that does not merely rely on a
 shared history.  The travel document things raises the bar higher -- by
 either collusion, or by the ability to spoof the signer (unfortunately,
 that bar is rather low at mass key signings).


  Pseudo- \Pseu"do-\ [Gr. pseydh`s lying, false, akin to psey`dein
     to belie; cf. psydro`s lying, psy`qos a lie.]
     A combining form or prefix signifying false, counterfeit,
     pretended, spurious; as, pseudo-apostle, a false apostle;
     pseudo-clergy, false or spurious clergy; pseudo-episcopacy,
     pseudo-form, pseudo-martyr, pseudo-philosopher. Also used
     [1913 Webster]

Be wary of strong drink.  It can make you shoot at tax collectors and
miss. Lazarus Long, "Time Enough for Love"
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/~srivasta/>  
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

Reply to: