[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Please revoke your signatures from Martin Kraff's keys

On Sat, May 27, 2006 at 10:19:57AM -0700, Thomas Bushnell BSG wrote:
> Paul Johnson <baloo@ursine.ca> writes:

> > I would be more inclined to do that to the people who signed his key
> > based on the Transnational Republic ID.  

> So, who are those people?  Is Manoj one of them?

It seems that I am one of them.  After the fact, I do have a vague
recollection of being presented an ID of unusual issuance, which may or may
not have been Martin's; and I am told I did not ask for a second ID as I
should have.  Clearly, there is serious doubt that my ID checking standards
that day were what they should have been, whether due to fatigue, or a
feeling of being rushed due to the format, or other factors.  I am grateful
to Martin for bringing this to my attention, though I suppose others won't
feel the same way given that it's my intention now to revoke all signatures
I issued based on that KSP barring exceptional cases in which I can
explicitly recall enough details of the signee's ID to confirm that I have
checked it correctly.

I am not asserting that I should be able to detect any and all forgeries of
official IDs; that's definitely beyond my mortal means.  But I should not be
accepting forms of ID that I can't actually *recognize*, and for forms that
I *do* recognize, there are almost universally legal penalties for forging
such documents.  There is no law against private-issue IDs with a person's
name and picture on them, which means that if I allow myself to sign a key
based on such ID, the cost to a potential attacker to get into the web of
trust -- even the Debian web of trust, not the global web of trust in
general -- is way too low, way lower than the cost that any of us should be
able to enforce if we prioritize security over keyrankings the way we ought

Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/

Attachment: signature.asc
Description: Digital signature

Reply to: