[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Debconf-discuss] Re: Please revoke your signatures from Martin Kraff's keys

On 25 May 2006, Stephen Frost spake thusly:

> * Manoj Srivastava (srivasta@acm.org) wrote:
>> On 25 May 2006, Stephen Frost verbalised:
>>> * Manoj Srivastava (srivasta@debian.org) wrote:
>>>> Explanation? What we have here is an act of bad faith, in the
>>>> guise of demonstrating a weakness. In my experience, one act of
>>>> bad faith often leads to others.
>>> pffft.  This is taking it to an extreme.  He wasn't trying to fake
>>> who he was, it just wasn't an ID issued by a generally recognized
>>> government (or perhaps not a government at all, but whatever).
>> If you think an ID from a place that issue you any ID when you
>> pay for it is valid, I probably will not trust a key signed by you,
>> and I would also suggest other people do not.
> I wasn't making any claim as to the general validity of IDs which
> are purchased and I'm rather annoyed that you attempted to
> extrapolate it out to such.  What I said is that he wasn't trying to
> fake who he was, as the information (according to his blog anyway,
> which he might be lieing on but I tend to doubt it) on the ID was,
> in fact, accurate.

        He has already bragged about how he cracked the KSP by
 presenting an unofficial ID which he bought -- an action designed to
 show the weakness of signing parties. So, this was a bad faith act,
 since the action was not to show an valid, official ID to extend the
 web of trust, but to see how many people could be duped into signing
 his key.

        Given that he is acknowledges trying to dupe people, why do
 you think he is not lying about the contents of the ID?

> If you're upset about this because you had planned to sign it and
> now feel 'duped' then I suggest you get past that emotional hurdle
> and come back to reality.

        Rubbish. The reality I am concerned about is someone cracking
 the KSP and duping people into signing his hey when they had  been
 fooled into thinking they were looking at an unfamiliar official ID.

> No one 'crack'ed anything here (that we know of anyway) and while
> not signing his key because of this is reasonable, or even revoking
> a signature which had been based on this ID, the constant
> inflammatory claims of Martin being a 'cracker' and how this could
> lead to other 'cracks' is extreme, insulting, and childish.

        And I think your attitude is naive, optimistic, and
 dangerous.  This was a subversion of the KSP. Admittedly, KSP's are
 fragile, and people get tired, and glassy eyed from looking at too
 many unfamiliar official looking documents. It takes little social
 engineering to fool people into signing based on fake documents.

        Admittedly, in the world of cracking this is the equivalent of
 running off with the handbag of an old lady on crutches, which is why
 one speculates about where the next crack is headed for.


It is better to live rich than to die rich. Samuel Johnson
Manoj Srivastava   <srivasta@acm.org>  <http://www.datasync.com/%7Esrivasta/>
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

Reply to: