On Wed, Jun 17, 2009 at 01:49:55PM +0200, martin f krafft wrote: > > This would also eliminate people that have fake ID from places > > that most people wouldn't recognise at all -- we're almost bound > > to have a local that will recognise it as fake, and so not sign. > > By adding the denouncement procedure that key will get signed by > > nobody at the key signing, rather then getting signed by quite > > a lot of the people who would have been convinced. > You are putting *way* too much weight and importance into the > government-issued document, and basically none into the identity of > the holder. Seriously: we're supposed to be certifying identities, > not the authenticity of a government document. I thought this was suitably rebutted years ago after the DC6 keysigning. To bring up the same arguments again looks like trying to win by getting the last word... The government IDs are relevant because when we're collaborating on an OS where there's minimal code review of the work done by maintainers and a well-chosen malicious package could cause millions or billions of dollars in damage to our users, we[1] want to be able to hold someone accountable in the real world. Not an "identity", but a physical person that we can prosecute and send to jail. Since governments are in charge of jails, government IDs are therefore the best tool we have available for this, without significantly compromising our scalability. On Mon, Jun 22, 2009 at 03:04:42PM +0200, martin f krafft wrote: > Does it matter whether I have a passport that carries my name, or > whether the name on my key, with which I consistently identify > myself in Debian, is actually my own name? Why would anyone care? Are you asking if it matters whether you have a passport, or are you asking if it matters if your passport has a name on it other than your own? Of course the latter matters. If the name on the passport isn't yours, it's a fraudulent ID. Why do people have fraudulent IDs? The normal reason is so they can avoid accountability! > In this context, I appreciate Wookey's tale of how simple it is to > have your name officially changed. If you're unwilling to accept my > new name, I'll just have to go through extra troubles to get some > government on this earth to issue a new identity. I doubt that will > be much of a hinderance to anyone who actually pursues malice. I doubt you would credibly pass for a Somali. There's an implicit expectation that the ID used for keysigning verification corresponds to the signee's nationality or country of residence, and isn't just an ID issued by an arbitrary country. Your use of a Transnational Republic ID in Mexico doesn't invalidate this expectation; it just highlights that, when doing a keysigning party with 180 people in the Mexican sun who have somewhere to be afterwards, our collective ID-checking practices (and mine included) are shit. So I thank you for the object lesson, which has made me more reluctant to participate in large KSPs, but I wholly reject your conclusions. > I challenge anyone claiming that you will be able to drag me to > court for malice under my GPG identity in a way that you wouldn't be > able to do based on IP address logs and similar. You know about tor, right? > Yes. And that's completely unrelated to why we're signing keys > anyway. The web of trust does not protect us from spies. It makes > sure that all of one's actions can be attributed to that very same > person, such that e.g. an upload or a vote actually stems from the > same person who has previously passed the NM process. That's all. I agree that avoiding MITM attacks is *an* important feature. I don't agree that it's the *only* one. On Tue, Jun 23, 2009 at 08:50:16AM +0200, martin f krafft wrote: > > I think this is the key point, plus just a general sort of raising > > the effort required for someone to subvert the system as Manoj > > also mentions. > Right, but where's the borderline? Having gone through the process > of getting an ID from the Transnational Republic, I would have no > trouble imagining that somewhere else on this earth there's a lot > less scrutiny involved when a government ID is issued. Fake IDs of various sorts are common practice all over - including in the US where fake driver's licenses are commonly used to facilitate underage drinking. I concede that requiring a government ID is not necessarily a *high* bar. Why do you want us to abandon all attempts to set *any* bar for being able to link contributors to a meatspace identity, instead of raising that bar? BTW, most jurisdictions don't like it when you counterfeit their identity documents, making this a crime in itself. Which means the state will often show /some/ interest in helping you track down said counterfeiter for their own purposes... > While I still maintain that a community-signed GPG key of a meanie > is not going to allow for a better indictment in court, I see the > argument about the proxy. However, given the broad spectrum of > governments and their standards, I think the cut-off point is > convenient, but not really useful. In the case of the Transnational Republic ID, I would argue that it's inappropriate to use as the basis for keysigning because it's a derivative of your actual government identity, and there's no reason we should accept secondary identity documents any more than we should sign every key that's also signed by our good friend that we really trust. > Obviously we cannot pick an elite group of countries and deny > signing to citizens whose governments don't have the resources for > rigorous processes or fancy documents, or who are simply corrupt, so > we just accept them all, as long as it's a government. Yes. In cases where we don't have much trust in the government (because they're corrupt, or actively hostile to our own nation, or simply aren't an effective national government due to lack of resources), I think we actually should be conscious of this and raise the bar for their citizens in *other* areas in order to compensate - such as requiring demonstration of sustained, significant contributions to Debian. (Which, er, we ought to do anyway for NM, but in practice the time commitment necessary doesn't actually seem to be all that much?) > It might be asking a bit much to expect people to know whether > a given country actually exists, too. I remember people asking me > where the Transnational Republic was. I don't think it's too much to ask that people not sign keys based on IDs issued by countries they've never heard of. If we're not going to expect even that basic level of diligence, we might as well save ourselves a whole lot of time and just let people in as DDs based on signatures from the automated email-based services. :P -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ slangasek@ubuntu.com vorlon@debian.org [1] FSVO "we", which seems to include less of Debian than it used to
Attachment:
signature.asc
Description: Digital signature