[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Debconf-discuss] GPG keysigning?

On Wed, Jun 17, 2009 at 01:49:55PM +0200, martin f krafft wrote:

> > This would also eliminate people that have fake ID from places
> > that most people wouldn't recognise at all -- we're almost bound
> > to have a local that will recognise it as fake, and so not sign.
> > By adding the denouncement procedure that key will get signed by
> > nobody at the key signing, rather then getting signed by quite
> > a lot of the people who would have been convinced.

> You are putting *way* too much weight and importance into the
> government-issued document, and basically none into the identity of
> the holder. Seriously: we're supposed to be certifying identities,
> not the authenticity of a government document.

I thought this was suitably rebutted years ago after the DC6 keysigning.  To
bring up the same arguments again looks like trying to win by getting the
last word...

The government IDs are relevant because when we're collaborating on an OS
where there's minimal code review of the work done by maintainers and a
well-chosen malicious package could cause millions or billions of dollars in
damage to our users, we[1] want to be able to hold someone accountable in
the real world.  Not an "identity", but a physical person that we can
prosecute and send to jail.

Since governments are in charge of jails, government IDs are therefore the
best tool we have available for this, without significantly compromising our

On Mon, Jun 22, 2009 at 03:04:42PM +0200, martin f krafft wrote:
> Does it matter whether I have a passport that carries my name, or
> whether the name on my key, with which I consistently identify
> myself in Debian, is actually my own name? Why would anyone care?

Are you asking if it matters whether you have a passport, or are you asking
if it matters if your passport has a name on it other than your own?

Of course the latter matters.  If the name on the passport isn't yours, it's
a fraudulent ID.  Why do people have fraudulent IDs?  The normal reason is
so they can avoid accountability!

> In this context, I appreciate Wookey's tale of how simple it is to
> have your name officially changed. If you're unwilling to accept my
> new name, I'll just have to go through extra troubles to get some
> government on this earth to issue a new identity. I doubt that will
> be much of a hinderance to anyone who actually pursues malice.

I doubt you would credibly pass for a Somali.  There's an implicit
expectation that the ID used for keysigning verification corresponds to the
signee's nationality or country of residence, and isn't just an ID issued by
an arbitrary country.

Your use of a Transnational Republic ID in Mexico doesn't invalidate this
expectation; it just highlights that, when doing a keysigning party with 180
people in the Mexican sun who have somewhere to be afterwards, our
collective ID-checking practices (and mine included) are shit.  So I thank
you for the object lesson, which has made me more reluctant to participate
in large KSPs, but I wholly reject your conclusions.

> I challenge anyone claiming that you will be able to drag me to
> court for malice under my GPG identity in a way that you wouldn't be
> able to do based on IP address logs and similar.

You know about tor, right?

> Yes. And that's completely unrelated to why we're signing keys
> anyway. The web of trust does not protect us from spies. It makes
> sure that all of one's actions can be attributed to that very same
> person, such that e.g. an upload or a vote actually stems from the
> same person who has previously passed the NM process. That's all.

I agree that avoiding MITM attacks is *an* important feature.  I don't agree
that it's the *only* one.

On Tue, Jun 23, 2009 at 08:50:16AM +0200, martin f krafft wrote:
> > I think this is the key point, plus just a general sort of raising
> > the effort required for someone to subvert the system as Manoj
> > also mentions.

> Right, but where's the borderline? Having gone through the process
> of getting an ID from the Transnational Republic, I would have no
> trouble imagining that somewhere else on this earth there's a lot
> less scrutiny involved when a government ID is issued.

Fake IDs of various sorts are common practice all over - including in the US
where fake driver's licenses are commonly used to facilitate underage
drinking.  I concede that requiring a government ID is not necessarily a
*high* bar.  Why do you want us to abandon all attempts to set *any* bar for
being able to link contributors to a meatspace identity, instead of raising
that bar?

BTW, most jurisdictions don't like it when you counterfeit their identity
documents, making this a crime in itself.  Which means the state will often
show /some/ interest in helping you track down said counterfeiter for their
own purposes...

> While I still maintain that a community-signed GPG key of a meanie
> is not going to allow for a better indictment in court, I see the
> argument about the proxy. However, given the broad spectrum of
> governments and their standards, I think the cut-off point is
> convenient, but not really useful.

In the case of the Transnational Republic ID, I would argue that it's
inappropriate to use as the basis for keysigning because it's a derivative
of your actual government identity, and there's no reason we should accept
secondary identity documents any more than we should sign every key that's
also signed by our good friend that we really trust.

> Obviously we cannot pick an elite group of countries and deny
> signing to citizens whose governments don't have the resources for
> rigorous processes or fancy documents, or who are simply corrupt, so
> we just accept them all, as long as it's a government.

Yes.  In cases where we don't have much trust in the government (because
they're corrupt, or actively hostile to our own nation, or simply aren't an
effective national government due to lack of resources), I think we actually
should be conscious of this and raise the bar for their citizens in *other*
areas in order to compensate - such as requiring demonstration of sustained,
significant contributions to Debian.  (Which, er, we ought to do anyway for
NM, but in practice the time commitment necessary doesn't actually seem to
be all that much?)

> It might be asking a bit much to expect people to know whether
> a given country actually exists, too. I remember people asking me
> where the Transnational Republic was.

I don't think it's too much to ask that people not sign keys based on IDs
issued by countries they've never heard of.  If we're not going to expect
even that basic level of diligence, we might as well save ourselves a whole
lot of time and just let people in as DDs based on signatures from the
automated email-based services. :P

Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org

[1] FSVO "we", which seems to include less of Debian than it used to

Attachment: signature.asc
Description: Digital signature

Reply to: