[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Debconf-discuss] list of valid documents for KSPs

On 30 May 2006, Wouter Verhelst spake thusly:

> On Tue, May 30, 2006 at 06:28:32AM -0500, Manoj Srivastava wrote:
>> On 28 May 2006, Thomas Bushnell stated:
>>> Perhaps my just-posted message has too many words to see my point.
>>>
>>> In the paragraph above, marked >>>, which was written by you, you
>>> speak of deception and forgery.  Nothing in the reports of the
>>> recent incident involving Martin suggests any deception and
>>> forgery.  What about this incident makes you think that any kind
>>> of deception or forgery was going on?
>>
>> I really think either you are deliberately being obtuse, or
>> nothing I can say will get this through to you.  I fail to see how
>> one can assert that there was no forgery going on -- do you
>> automatically assume that if a shiney laminated document with some
>> random issueing authority listed on it is not forged?
>
> What Martin Krafft showed you was,

        How do I know that person actually was  Martin Krafft?

> according to what he claimed,

        If I claim to be president George Clooney, and show you a
 document that proves I am such, and I earnestly claim it was not
 forged, but Bubba looked at all kinds of documentation that says I am
 such a person, you would proclaim from the roof tops that no forgery
 occurred? 

        My goodness me.

> a document that was made by the Transnational Republic. If he had
> changed some things on that document, then it would have been a
> forgery; however, he claims he has not, which would imply that it is
> not, in fact, a forgery.

        Riiigt. And I am Angelina Jolie.

        You know, I give up.  Apparently there is no way I can convey
 the concept of trusted paths and trusted processes to the people so
 passionately arguing with me, and this is getting tedious.

        I'll just have to accept that concepts of security and bad
 faith in this community are hard to get across.

        As a final note: Look for motivation. Presenting documents
 from an untrusted source to trick the unwary into signing to show how
 weak the ID checks are is still a trick.

        ALl I have heard people say that my processes should be
 resistant to evil-doers trying to trick me.

        Very true.

        I say people who try to trick me into signing a key based on
 an untrusted process of identity verification are evil doers.

        manoj
-- 
A boss with no humor is like a job that's no fun.
Manoj Srivastava   <srivasta@debian.org>  <http://www.debian.org/%7Esrivasta/>
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C
Reply to: