Re: [Debconf-discuss] Please revoke your signatures from Martin Kraff's keys

[Manoj Srivastava <srivasta@acm.org>]

Hi,

        I think the core issue here is if we deem presenting purchased
 identification at an event designed to extend the web of trust
 acceptable behaviour.

        I check photographs, name, age, and expiry dates on ID
 presented. I did not include document verification in that checklist,
 since it is something I do not think we can do, in about a minute or
 less, with no instruments.  I have some sample ID that purports to be
 for Donald Duck -- with a human picture.

On 25 May 2006, Mike Hommey told this:

> On Thu, May 25, 2006 at 04:16:24PM -0500, Manoj Srivastava <srivasta@acm.org> wrote:
>> The KSP was cracked,  People signed a key without ever looking
>> at proper, official ID. You can try and save face by calling it
>> whatever you want, but that does not change the reality.
>
> Manoj, how do *you* ensure the ID that someone presents you is a
> proper, official ID ?
>
> Actually, the whole thing is that if you want to subvert the key
> signing process, you can do it pretty easily. A lot of people buy
> fake passports or IDs for whatever reasons ; subverting a KSP is
> just a new kind of reason.
>
        This is the crux of the issue.  I have always maintained that
 it is possible to fool me; but I assumed that I moved in circles
 where presenting puchased identification papers was a phenomena that
 did not occur.  If presentation of purchased ID's is acceptable, then
 the only way of being surew about official papers is to only sign
 keys of people who have papers that I can recognize as being
 official -- which means, for me, Indian and US passports. And even
 then, I am sure the forgeries are beyond my ability to recognize.

On 25 May 2006, Steve Langasek said:

> He is acknowledging testing people in real-world conditions to
> determine whether they have acceptably strict standards for ID
> checking.

        By presenting purchased ID's in lieu of official one. Sounds
 exactly like the kinds of rationale crackers present -- testing real
 world deployments of machines for the peoples own good.

> Accusing him of duping people, of being a braggart for publishing
> the results of this experiment, and of acting in bad faith
> discourages people from testing the quality of conventional
> keysigning practices in the future.  Shouldn't we as a community
> *want* to know about problems with the strength of people's ID
> checking, *before* someone smuggles a fraudulent identity into our
> ranks?

        If I can come to you with a purchased ID's are you so sure you
 can tell a fakeID from a real one?

        Anyone can, thanks to the powers of the internet, find
 artisans that can, probably illegally, give you very official looking
 documents that are impossible for a lay person to tell apart.


> Where is the indignant outrage towards those 9 out of 10 keysigners
> who apparently had no objection to signing a key based on a
> trumped-up ID card with no legal validity?  If you really care about
> the strength of our web of trust, *they* are who should be named and
> shamed here.

        Are you arguing that would be a real world test to see if you
 can spot forged ID's, and laudable?  If so, when you come u0p to TN
 for the food conf, well have a wager. It is possible to fool _anyone_
 with high enough quality purchased ID's. And from all reports, the ID
 looked pretty darned official.

> Of *course* this was done under the laxest possible keysigning
> circumstances.  Pre-announcing that someone at the keysigning party
> will be showing non-government ID is like warning students of locker
> inspections a week in advance -- you might get a warm fuzzy that all
> the school's library books are turned in, but you're not going to
> catch any drug dealers that way...

        I think that friends at my work can produce documents that
 none of you can detect.  I still think that purchasing identification
 from non-official channels goes beyond the pale, but I appear to be
 in the minority. I'll just institute far harder key signing rules
 when it comes to Debian people, since what is commonly accepted to be
 nefarious behaviour in security circles does not seem to be the case
 in Debian.


> Any injury done to the people at the KSP they have done to
> themselves.  It's more analagous to standing next to an icy walkway
> and studying how many of the old ladies on crutches walk out on
> their own and break their hips, vs.  how many ask for his assistance
> across.  You might think it cruel, but I don't see any justification
> for calling it malicious.

        I see. I  hereby challenge you to detect fake official looking
 documents I'll present to you (just ignore the word sample emblazoned
 across them, since I got it from work), the next time you are in TN.


> If you consider it a foregone conclusion that people at KSPs,
> including DDs, will exercise poor keysigning practices, why attend
> the KSP?> I attend KSPs because I'm comfortable that *I* am still
> checking IDs and fingerprints properly for all keys I sign, in spite
> of the circumstances.

        These are not poor keysigning techniques, unless you accept
 all ID document verification techniques rely on a gentleman's
 agreement  about not presenting purchased ID's. As I said, I can show
 you sample identification that I challenge you to tell me why my name
 is not Donald Duck.

On 26 May 2006, David Moreno Garza uttered the following:

> I brought my Mexican passport to the KSP since I don't want to
> explain to everybody what my Mexican voting card is (and I didn't
> want people to doubt on it, as I did to locals in Porto Alegre and
> Helsinki). Bringing my passport issued by the Mexican government,
> sealed by some of the countries I have visited; bringing my US
> tourist visa, issued by the American government; having my Mexican
> voting card (which is official in MX); and any other non-official ID
> I could carry (driver's license, university card, work ID, etc) are
> documents I thought it would be great to have so nobody could doubt
> that I am the person I am saying I am :-) Because of this, I always
> requested for passports to check everybody's identity. I'm a bit
> upset also because some people think I should already know some
> documents.

        Now that presenting purchased  Identification  that looks
 official is in play, I am not sure if passports can be trusted. I
 have, for example, no idea what a passport for Cameron looks like --
 so really, I can only sign keys from people presenting an Indian, or
 US passports, and having drivers licesnses from from MA, AL, or TN.

        Unless, of course, presenting purchesed ID's were frowned
 upon, and a genteman's agreement existed in Debian to not try to fool
 the potential signer, which appears not to be feasible, given the
 responses to my concerns.

        Since presenting ID's that one has purchased is apparently OK,
 this effectively shuts down any key signing between people who are
 strangers, or come from different countries.

On 26 May 2006, Josselin Mouette stated:
> But should I revoke signatures from developers who showed me a US
> driver license, a piece of plastic I could fake with my inkjet
> printer?

        Do you really have an alternate course you can take, since now
 we admit that presenting such ID's are OK, and the person perhaps has
 not yet completed their study and published the hoax? (only half ;)

        manoj
-- 
With all the fancy scientists in the world, why can't they just once
build a nuclear balm?
Manoj Srivastava   <srivasta@acm.org>  <http://www.datasync.com/%7Esrivasta/>
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C