[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Debconf-discuss] list of valid documents for KSPs

On Sun, May 28, 2006 at 11:12:16PM -0500, Manoj Srivastava wrote:
>         So, once someone acts in bad faith, I can't trust anything
>  else they say: How do I know it is not a hoax within a hoax to see
>  how gullible people are, to accept that the papers presented were not
>  faked, or outright forgeries?

Yes, that's a good question: how can you be sure where the truth lies?

Answer: you can't. There is no way to be 100% sure. You have to make a
reasonable guess at whether or not something is correct, but it'll end
about there. Everything beyond a guess will eventually come to that same
conclusion that it is impossible to be 100% sure (as we see right here).
The worst this will ever do to you is that you will try to be more
careful the next time. If this happens too often, you'll end up mad,
because your efforts will be fruitless. That way lies paranoia.

The point being that you should not start screaming hell and murder
because someone used an ID card that fails your standards. It simply
does not work that way; and, frankly, I would suggest that that is also
not what matters. When you sign someone's key, what you're saying is not
"I know for a fact that this person is who he claims to be"; You're
really saying "This person has convinced me that he is who he claims to

The fact of the matter is, there are some people of whom I would sign
their key without even looking at their ID card, since I know who they
are and don't need to verify that by looking at their ID card. I know
who my brother is. I know what the name and address of my best friend
is. I have signed 0x2C4928A0 and 0x210E0785 without ever having seen
these people's ID cards, simply because I have known them for years, and
requiring them to show government-issued ID would have been silly. Apart
from that, there are even cases where government-issued ID isn't the
best you can get; I have heard that in some country (I believe it was
Sweden, but I might be mistaken), banks are so careful in handing out ID
cards that they are considered more secure than government-issued ID
cards; in fact, in this country it is possible (and common) to prove
your ID to the government by showing a bank-issued ID card.

When I check someone's ID card for PGP checking, I do not verify whether
the card has expired. I do not verify whether the ID card was issued by
a government.  I will verify whether or not it is something that can be
easily faked (and will refuse to sign if I believe it is), and whether
it matches the name of the person. I will have a close look at the
picture, comparing it to the person in question, and sometimes ask
personal questions about people's names (why they were given this name,
or perhaps things I remember which a person of that name did) because
that is far more effective in assessing whether someone is who he or she
claims to be than having a look at an ID card, whether government-issued
or not.

Manoj, I have seen you doing your SELinux-related talk through the
DebConf webcast, and I now know what you look like. If we were to meet
in person some time from now, and you were to verify that yes,
0xBF24424C is your key and that yes, you are Manoj Srivastava, and there
were other people there who would call you by your name, then I would be
convinced that you are who you claim to be. If you would ask me at that
point, I would not oppose signing your key. I would still prefer seeing
your ID card if possible, but I would not see this as an absolute
requirement; because I would be far more convinced that you are indeed
Manoj Srivastava just by being around you than by seeing any ID card,
government-issued or not.

Because those can be forged. People's memories cannot be.

To get back to your claim where you say that Martin Krafft is a fraud
who was gaming the system, I would say that you are way off base. He
showed everyone at the KSP some ID which did contain his name as he
really is called. You have had the opportunity to see him in the days
before the KSP and to hear him being called by his name. If he would
actually have been a fraud, chances are pretty high that you would
already have known by the beginning of the KSP.

Thus, I don't think you have any reason to believe that Martin is not
who he claims to be. And for OpenPGP keys, that really is all that

Fun will now commence
  -- Seven Of Nine, "Ashes to Ashes", stardate 53679.4

Attachment: signature.asc
Description: Digital signature

Reply to: