On Thu, May 25, 2006 at 02:12:25PM -0500, Manoj Srivastava wrote: > On 25 May 2006, Stephen Frost spake thusly: > >>> pffft. This is taking it to an extreme. He wasn't trying to fake > >>> who he was, it just wasn't an ID issued by a generally recognized > >>> government (or perhaps not a government at all, but whatever). > >> If you think an ID from a place that issue you any ID when you > >> pay for it is valid, I probably will not trust a key signed by you, > >> and I would also suggest other people do not. > > I wasn't making any claim as to the general validity of IDs which > > are purchased and I'm rather annoyed that you attempted to > > extrapolate it out to such. What I said is that he wasn't trying to > > fake who he was, as the information (according to his blog anyway, > > which he might be lieing on but I tend to doubt it) on the ID was, > > in fact, accurate. > He has already bragged about how he cracked the KSP by > presenting an unofficial ID which he bought -- an action designed to > show the weakness of signing parties. So, this was a bad faith act, > since the action was not to show an valid, official ID to extend the > web of trust, but to see how many people could be duped into signing > his key. > Given that he is acknowledges trying to dupe people, why do > you think he is not lying about the contents of the ID? He is acknowledging testing people in real-world conditions to determine whether they have acceptably strict standards for ID checking. Accusing him of duping people, of being a braggart for publishing the results of this experiment, and of acting in bad faith discourages people from testing the quality of conventional keysigning practices in the future. Shouldn't we as a community *want* to know about problems with the strength of people's ID checking, *before* someone smuggles a fraudulent identity into our ranks? Where is the indignant outrage towards those 9 out of 10 keysigners who apparently had no objection to signing a key based on a trumped-up ID card with no legal validity? If you really care about the strength of our web of trust, *they* are who should be named and shamed here. Of *course* this was done under the laxest possible keysigning circumstances. Pre-announcing that someone at the keysigning party will be showing non-government ID is like warning students of locker inspections a week in advance -- you might get a warm fuzzy that all the school's library books are turned in, but you're not going to catch any drug dealers that way... > > If you're upset about this because you had planned to sign it and > > now feel 'duped' then I suggest you get past that emotional hurdle > > and come back to reality. > Rubbish. The reality I am concerned about is someone cracking > the KSP and duping people into signing his hey when they had been > fooled into thinking they were looking at an unfamiliar official ID. The whole reason we have an ID check in the first place as part of the standard keysigning practice is that we do *not* trust people to be who they say they are: if I'm doing what I'm supposed to as a key signer, then I'm not vulnerable to attacks based on trivially-falsified IDs. If I'm not doing what I'm supposed to, the only person I have reason to be mad at is myself. If I (or anyone else) can't be trusted to directly and personally verify the ID of the person whose key I'm (they're) signing, then my (their) keys add no value at all to the web of trust. It is better to have no signatures than to have weak signatures pretending to be worth something. I applaud your personal decision to revoke signatures for this KSP based on your doubts regarding the efficacy of your own ID checks under these circumstances, but I don't think it's appropriate for you to accuse Martin of wrongdoing. > Admittedly, in the world of cracking this is the equivalent of > running off with the handbag of an old lady on crutches, which is why > one speculates about where the next crack is headed for. Any injury done to the people at the KSP they have done to themselves. It's more analagous to standing next to an icy walkway and studying how many of the old ladies on crutches walk out on their own and break their hips, vs. how many ask for his assistance across. You might think it cruel, but I don't see any justification for calling it malicious. > He did dupe people --- into signing based on an unofficial > document which can be purchased at will. And it is obvious that > large KSP's have tired people, doing a repititive task, and have a > lot of people unfamiliar with key signing. The conclusion was > foregon -- rartely do people have scientific studies belabouring the > obvious. If you consider it a foregone conclusion that people at KSPs, including DDs, will exercise poor keysigning practices, why attend the KSP? I attend KSPs because I'm comfortable that *I* am still checking IDs and fingerprints properly for all keys I sign, in spite of the circumstances. But if the KSP size and/or protocol is encouraging poor keysigning practices on the part of others, then I think we should abolish such KSPs from future Debian events, instead of criticizing people who've shown up their flawed nature. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. vorlon@debian.org http://www.debian.org/
Attachment:
signature.asc
Description: Digital signature