On Sun, May 28, 2006 at 11:12:16PM -0500, Manoj Srivastava wrote: > So, once someone acts in bad faith, I can't trust anything > else they say: How do I know it is not a hoax within a hoax to see > how gullible people are, to accept that the papers presented were not > faked, or outright forgeries? Yes, that's a good question: how can you be sure where the truth lies? Answer: you can't. There is no way to be 100% sure. You have to make a reasonable guess at whether or not something is correct, but it'll end about there. Everything beyond a guess will eventually come to that same conclusion that it is impossible to be 100% sure (as we see right here). The worst this will ever do to you is that you will try to be more careful the next time. If this happens too often, you'll end up mad, because your efforts will be fruitless. That way lies paranoia. The point being that you should not start screaming hell and murder because someone used an ID card that fails your standards. It simply does not work that way; and, frankly, I would suggest that that is also not what matters. When you sign someone's key, what you're saying is not "I know for a fact that this person is who he claims to be"; You're really saying "This person has convinced me that he is who he claims to be". The fact of the matter is, there are some people of whom I would sign their key without even looking at their ID card, since I know who they are and don't need to verify that by looking at their ID card. I know who my brother is. I know what the name and address of my best friend is. I have signed 0x2C4928A0 and 0x210E0785 without ever having seen these people's ID cards, simply because I have known them for years, and requiring them to show government-issued ID would have been silly. Apart from that, there are even cases where government-issued ID isn't the best you can get; I have heard that in some country (I believe it was Sweden, but I might be mistaken), banks are so careful in handing out ID cards that they are considered more secure than government-issued ID cards; in fact, in this country it is possible (and common) to prove your ID to the government by showing a bank-issued ID card. When I check someone's ID card for PGP checking, I do not verify whether the card has expired. I do not verify whether the ID card was issued by a government. I will verify whether or not it is something that can be easily faked (and will refuse to sign if I believe it is), and whether it matches the name of the person. I will have a close look at the picture, comparing it to the person in question, and sometimes ask personal questions about people's names (why they were given this name, or perhaps things I remember which a person of that name did) because that is far more effective in assessing whether someone is who he or she claims to be than having a look at an ID card, whether government-issued or not. Manoj, I have seen you doing your SELinux-related talk through the DebConf webcast, and I now know what you look like. If we were to meet in person some time from now, and you were to verify that yes, 0xBF24424C is your key and that yes, you are Manoj Srivastava, and there were other people there who would call you by your name, then I would be convinced that you are who you claim to be. If you would ask me at that point, I would not oppose signing your key. I would still prefer seeing your ID card if possible, but I would not see this as an absolute requirement; because I would be far more convinced that you are indeed Manoj Srivastava just by being around you than by seeing any ID card, government-issued or not. Because those can be forged. People's memories cannot be. To get back to your claim where you say that Martin Krafft is a fraud who was gaming the system, I would say that you are way off base. He showed everyone at the KSP some ID which did contain his name as he really is called. You have had the opportunity to see him in the days before the KSP and to hear him being called by his name. If he would actually have been a fraud, chances are pretty high that you would already have known by the beginning of the KSP. Thus, I don't think you have any reason to believe that Martin is not who he claims to be. And for OpenPGP keys, that really is all that matters. -- Fun will now commence -- Seven Of Nine, "Ashes to Ashes", stardate 53679.4
Attachment:
signature.asc
Description: Digital signature