[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Please revoke your signatures from Martin Kraff's keys

Dear Manoj, dear fellow DDs,

I guess I could have known that this experiment of mine would turn
into a huge thread, unfortunately extending across two mailing
lists. Thus, it is surely in order for me to apologise for being the
cause that your inboxes filled up.

I have said most of what I wanted to say in my blog entry [0], even
though I could have articulated and backed up my arguments a bit
better. I will try to do better this time, but it will be my only
message to this thread, unless the subject of followups is changed
and indicates an actually relevant topic (at which point in time
it's a new thread...). Please note, however, that I am leaving
Mexico tomorrow and will be away from my mail more or less until

0. http://blog.madduck.net/geek/2006.05.24-tr-id-at-keysigning

First of all, my name is Martin Felix Krafft (with a final 't'), and
my GPG key ID is 0x330c4a75. The unofficial ID I presented listed
that name (without the middle name), a photo is available from [1]
(sorry, can't do better now). Thus, the ID card is an unofficial
card, but the identity it claims is my real identity, not a fake
one. To me, this is an important distinction in the context of this

1. http://madduck.net/~madduck/scratch/tr-id.jpg

Key numbers 1-102, as well as 123-140 got to see my unofficial ID
(if they were present). Those who didn't accept the ID surely
remember being showed an official one I had in my pocket.

I have indicated in my blog posting that GPG allows you to revoke
signatures from keys, and I included that information exactly
because I wanted to make it easier for people to undo the signing if
they felt cheated. In any case, it should be the decision of each
and every individual whether to revoke his/her signatures on my key.
A public call as in this case is especially inappropriate IMHO,
because noone can actually define the proper baseline for identity
verification at keysigning parties.

For your information, to date, not a single signature has been

Before I respond to a few of the issues and questions raised in the
thread, let me present my view of the problem. I would like to thank
my travelling companions for helping me straighten it out.

The Debian project heavily relies on keysigning for much of its
work. However, I think the question what the signing of a key
actually accomplishes has not been properly addressed. In my
opinion, from the point of view of the Debian project, a person's
actual identity (as in the name on your birth certificate) matters
very little; the Debian project does not actively interfere with
a person's real life in such a way as to require the birth
certificate identity (legal cases, liability issues, etc.).

Moreover, it's rather trivial in several countries of this world to
change your official name. In this context, even the claim that in
the case of a trust abuse, your reputation throughout the FLOSS
community (and the rest of the Internet) should be properly
tarnished, does not stand, IMHO.

From within the project, what matters is that everything you do
within the project can be attributed to one and the same person: the
same person that went through our NM process. The GPG key is one
technical measure to allow for this form of identification. Its
purpose is not, as Micah Anderson states, a means to confirm the
validity of a government-issued ID.

This brings me to a point which Andreas Schuldei nicely stated at
the beginning of the thread (as did others throughout):

> I do not need an ID to identify martin, so i dont need to rely on
> his (forged or real) passport or other id from him in order to
> sign his key. If you did not know him before you should not sign
> his key (if your judgement was based on the unofficial ID). 

When Andreas signs my ID, he voices his trust in that I am who
I claim to be, and he does so not because I presented him with an ID
with the claimed name, but because we've interacted many times
before. In that line, Gunnar's point stands:

> Maybe we should just drop holding KSPs, and fall back to the
> traditional method of "Hey, nice dinner we had yesterday. Say, now
> that you know me, my family and my history, would you like to sign
> my key as well?" - Signing for people you actually know, not just
> linking

In my eyes, this is exactly what a keysigning is and should be all
about: a statement of familiarity with a person, nothing more and
nothing less. And as a project, we should either accept that, or
find a better way to identify our developers.

So what to do in this very situation? Should you revoke your
signature from my key (or not even sign it in the first place)?
Should you revoke or refuse signatures to all participants, because
some claim the keysigning party to have been subverted? I think the
answer to both cases should be: no, unless you have not previously
known the person whose key you wish to sign. That's exactly what
makes this decision very subjective, and a public call such as the
original post rather unnecessary and missing the point.

Now for a few of the issues and questions raised in this thread:

also sprach Manoj Srivastava <srivasta@debian.org> [2006.05.25.0236 -0500]:
>         It has come to my attention that Martin Kraff used an
>  unofficial, and easily forge-able, identity device at a large key
>  signing party recently.

I do not think the ID I presented is easily forgeable. And it cannot
be bought. It is issued by the ID issuing authority of the
Transnational Republic, and it requires bureaucratic paperwork,
including the verification of an official ID. You claim throughout
your posts that this ID can be purchased at will. I would appreciate
if you'd try even just to get an ID in your name; I will cover all
your expenses towards the Transnational Republic.

Part of the outcome of my experiment is that I want to draw people's
attention to what an official and unforgeable ID really is. If you
draw the line of standard too high, you should have to ask yourself
the question whether an ID is forgeable every time you inspect one.
And the question as to whether it is an official ID can only be
answered if you know exactly what the respective nation's ID looks
like *and* you trust the issuing authority. From the evidence I've
seen so far, this would make it impossible for anyone with
unreasonable standards to sign most any other key.

>         Presenting essentially a fake ID is an act of bad faith that
>  leads one to wonder how many of the other key signing parties he has
>  attended did he present a false ID?

I have done this experiment twice before: at the 10th Debian
anniversary in Zurich, as well as on the LinuxTag 2005 keysigning.
I did not have a blog back then or else I would have published the
results earlier, for I didn't know of another medium that I deemed
appropriate. The outcome was more or less the same in all cases:
only 10% noted the unofficial ID and inquired about it.

also sprach Manoj Srivastava <srivasta@acm.org> [2006.05.25.1616 -0500]:
>         The Next time that key signs a NM candidates key, and that sig
>  is used to get someone into Debian, privileges would have been
>  granted from a tainted signature.

There are plenty of signatures by DDs who know exactly what kind of
ID I can and should have on my key. No signature can taint a key
that's already sufficiently connected.

also sprach Mike Hommey <mh@glandium.org> [2006.05.25.1726 -0500]:
> Manoj, how do *you* ensure the ID that someone presents you is a proper,
> official ID ?

Or, given your admittedly favourable protocol of requiring two IDs,
how do you ensure that both IDs are proper and official?

also sprach Steve Langasek <vorlon@debian.org> [2006.05.25.1831 -0500]:
> Where is the indignant outrage towards those 9 out of 10
> keysigners who apparently had no objection to signing a key based
> on a trumped-up ID card with no legal validity?  If you really
> care about the strength of our web of trust, *they* are who should
> be named and shamed here.

Should they really? Shouldn't we rather, as a project, put
keysigning into the light into which it belongs and start working
from there? I don't think we can cure the human error here for good.

> The whole reason we have an ID check in the first place as part of
> the standard keysigning practice is that we do *not* trust people
> to be who they say they are:  if I'm doing what I'm supposed to as
> a key signer, then I'm not vulnerable to attacks based on
> trivially-falsified IDs.  If I'm not doing what I'm supposed to,
> the only person I have reason to be mad at is myself.  If I (or
> anyone else) can't be trusted to directly and personally verify
> the ID of the person whose key I'm (they're) signing, then my
> (their) keys add no value at all to the web of trust.  It is
> better to have no signatures than to have weak signatures
> pretending to be worth something.
> I applaud your personal decision to revoke signatures for this KSP
> based on your doubts regarding the efficacy of your own ID checks
> under these circumstances, but I don't think it's appropriate for
> you to accuse Martin of wrongdoing.

I could not have put this better. Thank you, Steve.

also sprach Agustin Martin <agmartin@debian.org> [2006.05.25.1845 -0500]:
> Martin, but in a more subtle (and dangerous) way. The only think I can
> complain about Martin is for not putting shame on those that were to
> sign his key just before signing, so others learn.

I do not consider myself in the position to do so as I certainly
want to put people on the spot. IMHO, it's not their fault, as
others have argued. A two hour marathon drains everyone's
concentration, and pointing the finger at some won't do anything.
Instead, we should work on making sure to find a protocol that
protects the web of trust from human error.

I imagine an improved protocol for the keysigning, which is based on
an idea I overheard after the party (and someone mentioned it in the
thread): instead of the everyone-signs-everyone approach, it might
be interesting to investigate forming groups (based on connectivity
statistics) such that everyone's mean distance in the web of trust
can be increased by a fair amount in a short amount of time. At the
same time, such circles could be used for education by those with
high connectivity (and thus much experience). The problem here is of
course the somewhat unreliable attendance of people. Comments

also sprach Javier Fernández-Sanguino Peña <jfs@computer.org> [2006.05.25.1300 -0500]:
> FWIW, I noted down those keys I would *not* sign and didn't tell
> the people at the KSP that I would not sign them. I guess his
> experiment "only one in ten said that they would *not* sign it" is
> moot unless he backs it up with the signatures he eventually got
> sent from those he showed a wrong ID to.

Out of curiosity, did you mark my key to be "questionable"?

The point you raise is a valid one. However, given how many people
just don't sign keys after keysignings, the data would be skewed in
the other direction.

I do not yet understand why some people do not confront those with
questionable IDs. Maybe you can shine some light on that.

also sprach Manoj Srivastava <srivasta@debian.org> [2006.05.25.1146 -0500]:
>         All this means is that his crack was well put together with
>  credible looking fake ID's that would fool most people  checking the
>  ID's of all the other KSP participants.  A clever social engineering
>  crack, based on the volume of unfamiliar documents people had to
>  check, and how tired they were.

For all that it's worth, I did not plan to conduct this experiment.
I remembered in the middle of it and subsequently started it,
explaining to those around me what I was doing.

also sprach Enrico Zini <enrico@enricozini.org> [2006.05.25.1218 -0500]:
> However, from the book you don't get the address of madduck's
> home, which is what you want when you have to go and drag him to
> jail if he willingly uploads some malicious code.

Could you even drag me to jail for anything I do (or don't do) in
Debian? Which jurisdiction would be used? Who'd be the prosecutor?
What kind of legal claims would actually stand a chance?

Thanks for reading along! Greetings from Mexico,

Please do not send copies of list mail to me; I read the list!
 .''`.     martin f. krafft <madduck@debian.org>
: :'  :    proud Debian developer and author: http://debiansystem.info
`. `'`
  `-  Debian - when you have better things to do than fixing a system
i feel like i'm diagonally parked in a parallel universe.

Attachment: signature.asc
Description: Digital signature (GPG/PGP)

Reply to: