[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Debconf-discuss] Re: Please revoke your signatures from Martin Kraff's keys

On Thu, 2006-05-25 at 16:16 -0500, Manoj Srivastava wrote:
> On 25 May 2006, Stephen Frost spake thusly:
> > * Manoj Srivastava (srivasta@acm.org) wrote:
> >> On 25 May 2006, Stephen Frost spake thusly:
> >>> I wasn't making any claim as to the general validity of IDs which
> >>> are purchased and I'm rather annoyed that you attempted to
> >>> extrapolate it out to such.  What I said is that he wasn't trying
> >>> to fake who he was, as the information (according to his blog
> >>> anyway, which he might be lieing on but I tend to doubt it) on the
> >>> ID was, in fact, accurate.
> >>
> >> He has already bragged about how he cracked the KSP by presenting
> >> an unofficial ID which he bought -- an action designed to show the
> >> weakness of signing parties. So, this was a bad faith act, since
> >> the action was not to show an valid, official ID to extend the web
> >> of trust, but to see how many people could be duped into signing
> >> his key.
> >
> > Pffft.  Again, I call foul.  That was as much 'bragging' as any
> > scientist reporting on a study.  It *wasn't* done in bad faith, as
> > the information on the ID (now independtly confirmed even) *was*
> > accurate.
>         Cracking is not a scientific study.

cracking may not be, but determining the average number of people who
spot an unofficial id could be construed to be.

> >> Given that he is acknowledges trying to dupe people, why do
> >> you think he is not lying about the contents of the ID?
> >
> > He didn't try to dupe people and this claim is getting rather old.
>         He did dupe people --- into signing based on an unofficial
>  document which can be purchased at will.  And it is obvious that
>  large KSP's have tired people, doing a repititive task, and have a
>  lot of people unfamiliar with key signing. The conclusion was
>  foregon -- rartely do people have scientific studies belabouring the
>  obvious.

again, the question (i believe) has to be: what is obvious? it seems,
manoj, you are basing a large part of your argument on the fact that ksp
are inheritly insecure. but people are constantly testing the obvious
things. can they be "proved" to be insecure?

> > Duping people would have actually been putting false information on
> > the ID and generating a fake key and trying to get someone to sign
> > off on the fake key based on completely false information.  The
> > contents of the ID were accurate, as was his key, there was no
>         I, for one, have no way of knowing if that was not the case.
> > duping or lying.  Whineing that he showed a non-government ID at a
> > KSP and saying that's "duping" someone is more than a bit of a
> > stretch, after all, I've got IDs issued by my company, my
> > university, my state, my federal gov't, etc.  Would I be 'duping'
> > people if I showed them my company ID?  What about my university ID?
> > Would it have garnered this reaction?  I doubt it.
>         The directive at the KSP was that you showed people an
>  official pho ID -- a passport if you had one,  or whatever you had
>  available if you were local.  Putting in a purchased card (I know
>  there are several places around that create official looking docments
>  in exchange for money is subvering the KSP).
> >>> If you're upset about this because you had planned to sign it and
> >>> now feel 'duped' then I suggest you get past that emotional hurdle
> >>> and come back to reality.
> >>
> >> Rubbish. The reality I am concerned about is someone cracking the
> >> KSP and duping people into signing his hey when they had been
> >> fooled into thinking they were looking at an unfamiliar official
> >> ID.
> >
> > The reality is that you're turning this into something much, much
> > larger than it actually is.
>         I can't help it if you think presenting unofficial ID at a
>  debian KSP does not amount to much.  I tend not to dismiss gaming web
>  of trust issues dismissively.
> > If you're actually concerned about someone cracking the KSP then
> > what you *should* be doing is attempting to educate people on the
> > dangers of KSPs in general, not going after someone who happened to
> > point out that not everyone checks IDs very carefully (an
> > unsuprising reality but one which now has a good measure of proof
> > behind it to base change upon).
>         Heh. I guess we need to have proof of the unsurprising fact
>  that people bleed when pierced with 6 inches of sharp steel too?
>  Would that be "just a scientific study" to you? 
>         Either the KSP was subverted, i which case we have something
>  to educate people about, or 
> > 'Cracking' the KSP, such as one could, would be coming up with a
> > fake identity entirely and trying to get people to sign off on it.
>         How do you know that is not what happened?
> > Even that isn't actually all that *dangerous* until someone grants
> > some privilege based on that signature.
>         The Next time that key signs a NM candidates key, and that sig
>  is used to get someone into Debian, privileges would have been
>  granted from a tainted signature.
> > That *isn't* what happened here,
>         No? You can prove that?

there are countless things that cannot be proved. rsa crypto cannot be
"proved" to be a good crypto, it just appears to be. many things we rely
upon have no proof of being "good", or "right", or what we expect them
to provide, we just accept them as they are; and with that we accept the
risk of not knowing (for 100%) that things are as we expect them to be. 

> > and, indeed, being rather well known (it seems) there would have
> > made it more difficult for him to pull off than, say, someone off
> > the street.
>         Well known to whom?  I, for one, did not know very many people
>  at the conference, and large chunks of people were in my shoes.
>  Also, people who did know the perp were unlikely to look closely at
>  the fake documents being brandished.

martin is supposed to accept (or know) the fact that ksp are insecure.
(though they cant be *proved* to be)

and you are unwilling to accept some account of what happened at the ksp
because it cant be *proved*.

this is an issue.

Matt Zagrabelny - mzagrabe@d.umn.edu - (218) 726 8844
University of Minnesota Duluth
Information Technology Systems & Services
PGP key 1024D/84E22DA2 2005-11-07
Fingerprint: 78F9 18B3 EF58 56F5 FC85  C5CA 53E7 887F 84E2 2DA2

He is not a fool who gives up what he cannot keep to gain what he cannot
-Jim Elliot

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: