Re: I'm not quitting that easy. (Was: Re: I would like to vote also.)

To: "Karl M. Hegbloom" <karlheg@bittersweet.member.dsl-only.net>
Cc: "Debian Developers' Forum" <debian-devel@lists.debian.org>
Subject: Re: I'm not quitting that easy. (Was: Re: I would like to vote also.)
From: Steve Langasek <vorlon@netexpress.net>
Date: Mon, 11 Dec 2000 08:49:26 -0600 (CST)
Message-id: <[🔎] Pine.LNX.4.10.10012110830250.2474-100000@tennyson.netexpress.net>
In-reply-to: <[🔎] 873dfv4zzw.fsf@bittersweet.intra>

On 10 Dec 2000, Karl M. Hegbloom wrote:

>     Karl> </sigh> You must have skipped the next paragraph...  I *do* get it.
>     Karl> I said that.  It doesn't prove I'm the man in the photo, just that
>     Karl> the man in the photo is the man they've met.

>     Thomas> Well, that's quite irrelevant then.  They can tell us that without any
>     Thomas> signatures or PGP at all.  

>  But that key can tie me to that photo I uploaded.  Unless I'm proxy
>  for several people and let one of them sign my ID and upload it for
>  me, my having the private half of that key ties me in some way (How
>  securely?) to that signed scan.  Someday when/if we meet, you can
>  verify that I'm probably the man in the photo, and that I indeed have
>  the private half of that key.  (barring catastrophy)

The value in getting someone to sign your key is not to prove that you are
who you say you are; rather, it's to demonstrate cryptographic evidence that
the key came from the same person who is claiming to be Karl M. Hegbloom.  You
may be a secret government agency that has just enlisted the help of the
/real/ Karl Hegbloom; you may be the real Karl Hegbloom, who happens to also
let twenty of his closest friends use his PGP key; or you may not be Karl
Hegbloom at all, just someone with a cleverly forged ID.  Getting your key
signed can never protect against the above, but getting your key signed DOES
give assurance that if anything goes wrong, and your key is attached to it, it
really is you that's responsible for the problem.  Key signing provides
cryptographic protection against man-in-the-middle attacks of the worst kind.
The kind of man-in-the-middle attacks we're talking about are rather
difficult to achieve, but let's face it, if there /were/ a MITM attack going
on, and your key hadn't been signed, there would be no way to detect it until
it was far too late, because any attacker who was able to intercept all of
your files and emails and re-sign them would easily be capable of concealing
the evidence.  Getting your key signed is important for protecting yourself
and for protecting Debian.

As for whether or not Debian developers are qualified to certify out-of-state
drivers' licenses, the only problem this creates is that someone else could
claim to be Karl Hegbloom, and the reputation of the real Karl Hegbloom will
be ruined when the imposter attempts to sabotage the project.  But this
scenario shouldn't concern you if you're the real Karl Hegbloom, right? :)

Steve Langasek
postmodern programmer

Reply to:

References:
- Re: I'm not quitting that easy. (Was: Re: I would like to vote also.)
  - From: karlheg@bittersweet.member.dsl-only.net (Karl M. Hegbloom)

Prev by Date: Re: I'm not quitting that easy. (Was: Re: I would like to vote also.)
Next by Date: Migrating from PGP to GPG -- problems
Previous by thread: Re: I'm not quitting that easy. (Was: Re: I would like to vote also.)
Next by thread: Re: I'm not quitting that easy. (Was: Re: I would like to vote also.)
Index(es):
- Date
- Thread