[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Keysigning without physically meeting ... thoughts?

>>>>> "Wesley" == Wesley J Landaker <wjl@icecavern.net> writes:

    Wesley> I wrote this up to someone. I thought I'd share it, and
    Wesley> get your thoughts.  (e.g. anybody see any weaknesses in
    Wesley> #1-#3 that *aren't* present in the typical meet, check ID,
    Wesley> get GPG fingerprint, assuming #4 is always used
    Wesley> afterwards?)

Can I please ask the blindingly obvious question that is so obvious
nobody has asked?

What is the point of keysigning? 

What are we setting out to achieve?

Ok, so I get my key signed, using what I believe to be the standard

1. I claim to be "Brian May". I have a passport that proves that I am
   in fact "Brian May". I have a drivers license that proves that I am
   "Brian May". The photos are identical to what I look like. Assume
   none of these are forged. I suspect many people would not be able
   to tell a forgery, even if it technically is illegal. Often the
   photo looks nothing like the person (due to shave, glasses, hair
   style, etc). In this case though, I am very convincing that I am
   Brian May. People who know me and see me can also confirm this.

2. I claim key-id 00530C24 with fingerprint 9918 7E12 ABAF 54EA 9C9E
   27A5 B828 A71C 0053 0C24 is mine. In fact, numerous people have
   already signed this key for me.

3. You obtain a copy of my key with the following UIDs, and sign all
   of them:

   Brian May <brian@snoopy.apana.org.au>
   Brian May <brian@microcomaustralia.com.au>
   Brian May <brian@debian.org>
   Brian May <brian@ivt.com.au>
   Brian May <brian@sws.net.au>

   (note: assume for this keysigning I deleted my old UIDs and added
   several new ones that I should have added several years ago).

4. Either:

   a) You send a copy of my key, to me, to the first address[1].

   b) You send a copy of my key, encrypted using my key, to the first
      address. Do this if I you know I want to keep my public key
      private[2]. Or do this if the key signing session was a "smaller

   c) You upload to a key server. Do this only if you know I want the
      public key to become public[2], or if keysigning wasn't a
      "smaller group"[3]. Or just do this anyway[4].

   I have heard various reasons why each alternative is better then
   the other alternatives. Read the references.

Is this process "correct"? Or did something go seriously wrong here?
If it was correct, why was it correct? If it was wrong, why was it
wrong? Assume this key isn't already in the Debian keyring (it is),
but I am an existing Debian Developer. If you were the Debian
administrators, would you have any problems adding this key to the
Debian keyring?  What if I only supplied my Debian UID, and my public
key was otherwise private?

So after having my key signed, I get my name legally changed to "John
Doe". As such, I get my passport, etc, reissued under "John Doe". Does
this suddenly mean my key is invalid? If so why? What if my email
address of brian@snoopy.apana.org.au was still valid? Would it be OK
to sign a UID for "John Doe" if the UID was "Brian May
<brian@snoopy.apana.org.au>" or "John Doe
<brian@snoopy.apana.org.au>", but I didn't have any proof of ever
being "Brian May"?  Why/Why not?

What if my past email address was something cryptic, like
xyz12432@snoopy.apana.org.au, how would you know if this was suppose
to belong to "Brian May" or "John Doe"?

What if I got my name legally changed to "Branden Robinson"? Shouldn't
I be able to get my key signed? Just because my name happens to be the
same as some other person on this planet... Or would it be better if I
invented an alias? Then my key ID wouldn't match my legal ID.

What if everyone knows me by an alias, but I haven't/don't want to
change my legal name? "Rusty Russell" is one well known example. If my
key uses my real name, people may not realize it is me.

I can't help but wonder if we have become to obsessed with signing a
key to a particular name, that we have lost track of what we are
trying to achieve. Just because the name matches (or is almost
identical) does not mean it is the same person. Even if this key has
hundreds of trusted signatures and the name is identical, it still
doesn't mean it must be the same person.

You could improve security if you do the tedious task of sending an
email to every address, using a password decided on at the
meeting[3]. This is step is considered "optional".  However [3]
doesn't give the full details for this to be secure, either. You would

* ensure nobody else sees the shared password. The password for every
  person should be different. Writing it down could be unsafe, but not
  writing it down could lead to memory loss.

* to test every email address you are going to sign.

* to send a "cookie" that is different for every email address.

* receive a response for every email address and check that both the
  cookie and passwords match.

Otherwise, I could send an email back to you (with a modified From:
header) that appears to be a response to the email you sent me, when
in actual fact I never received it, or only received it from one of
the email addresses.

Even with this check, just because I was the person present to do the
authentication checks, and just because I can intercept mail to a
given email address, and just because I have the corresponding private
key, doesn't mean that email address really is mine.  If I was a
Debian system administrator, imagine how many *@debian.org email
addresses I could intercept? (Note: this does not imply I have
anything less then 100% trust in the Debian administrators).

With large key signing groups, the chances of somebody detecting
something wrong increases, but not all key signing is done in large

Disclaimer: if you believed everything I wrote in this email as truth,
then you demonstrated why there are serious problems in the current
methods commonly used in key signing.

References (obtained using google search for "key signing howto")

[1] http://www.debian.org/events/keysigning
[2] http://www.cryptnet.net/fdp/crypto/gpg-party.html
[3] http://www.unix-ag.uni-kl.de/~conrad/krypto/keysign.html
[4] http://wiki.openskills.net/OpenSkills/GPG+Key+Signing
[...] heaps of others
Brian May <bam@debian.org>

Reply to: