Re: [Debconf-discuss] list of valid documents for KSPs

[Manoj Srivastava <srivasta@debian.org>]

On 30 May 2006, Theodore Tso stated:

> On Tue, May 30, 2006 at 07:49:34AM -0500, Manoj Srivastava wrote:
>>> What Martin Krafft showed you was,
>>
>> How do I know that person actually was  Martin Krafft?
>
> So if you have no idea whether or not someone was Martin Krafft, how
> can you ask everyone to revoke all signatures for Martin Krafft as
> you did earlier.  That is really unreasonable.

        The person who I thought was Marting has apparently revealed
 that the identity documents that were preseted to the key signing
 party participants were ones that did not come out of a trusted
 process.  Typically, the identity papers are produced by official
 bodies, like governments, that have international treaties in place
 to assure a minimal conformance of identity checks.

        Given that, it is entirely reasonable to ask for signatures to
 be revoked,  since this was not the first time such an "experiment"
 has apparently been conducted.

> Does that mean that if someone shows up at an future keysigning
> party at OLS, for example, with an Transational Republic ID which
> has the name "Manoj Srivastava", that everyone would be therefore be
> entitled to demand on debian-devel that all signatures for "Manoj
> Srivastava" should now be revoked?

        I would think that if an imposter was running around, and if
 people were no longer sure that such an imposter twas the one whose
 ID they had based their signatures on, HELL YES!!!

> After all, we have no idea if anyone who might or might not have
> been "Manoj Srivastava" might or might not have produced an
> identification documents that may or may not have been false.  We
> don't know!

        Then please do revoke your signature on a key that purports to
 be mine.


> Do you see how rediculous this is?  How irrational you are being?

        I think you are the one being irrational talking about a "web
 of trust" and blithely signing keys for people who conduct "tests" to
 see how weak processes of "trust" are.

        If I, or someone posing as me, has ever done anything to
 damage trust in my identity, REVOKE YOUR SIGNATURES FROM MY KEY.


        Is that plain enough for you? 
> Had Martin never mentioned this, it would have been a non-issue.
> There is no real damage. While signatures may have been based on a
> non-offical ID, Martin did indeed own the key in question, so the
> end harm is zero. But Martin decided to publish this experiment

        Err, while you so assert, and perhaps you have inside
 information that enables you to make that statement, I have no such
 recourse.  How do I know someone called Martin does own that key,
 except by hearsay?

> So, if KSPs are not changed, then the Web of trust becomes
> effectively worthless.  Manoj should be far more concerned about
> that, then about Martin's demonstration of this.

        Well, KSP's in Debian are essentially dead, as far as I am
 concerned, since the community has not come to an agreement that
 bringing Bubba's passports is an unacceptable action.  Everyone is
 actring the ostrich, claiming that the burden lies on the
 verification process of the signer, despite the fact that it is
 essentially impossible to detect the forgery without specialized
 equipment and  access to government data files.

        Since we have rejected a social workaround of deprecating
 Bubba's passports (like, you know, in other unpublished "tests"), I
 fail to see how one can actually sign a key in the community.  I
 can't tell Bubba's ID's from the official ones.

On 30 May 2006, Joe Smith told this:

> Let me try to spell it out another way.  Either the entity at the
> the KSP who was allegedly Martin Krafft was indeed Martin Krafft, or
> he was not.  It must be one or the other; you seem to be arguing
> things both ways, and you don't get to do that.

        Sigh.  Your logic is flawed.  I met someone who claimed to be
 Martin. I find that there is now doubt about the papers presented by
 such an individual. A person who owns that key claims to have
 presented papers of uncertain provenance. If you think this has
 nothing to do with the validity of the process of signing that key,
 especially  since my memory of the actual checking process is
 unclear, and that many people bought into that identity papers, I
 certainly am ginna lower the trust I place in your ability to
 determine how the web of trust is extended.

On 30 May 2006, Henning Makholm stated:

> Scripsit Manoj Srivastava <srivasta@debian.org>
>
>> Nothing that a general software developer can do to check an ID is
>> proof against a determined individual, we all assume that there is
>> a gentleman's agreement in place that such an attack is not
>> mounted.
>
> If you _really_ believed that you could depend on people keeping any
> gentleman's agreement, the whole charade of holding a KSP would be
> completely pointless.

        If you think that you can check an ID if there are no
 expectations of good faith, then you are sticking your head in the
 sand, and ignoring the fact that false identification papers, made
 from official blank passports, are readily available, in all parts of
 the world (despite what Ron Johnson said out of sheer ignorance). 
>
> The only reason to hold a KSP is that one _does not_ believe that
> people are capable of keeping gentlemen's agreements.
>
        Then you might as well sign every key on the key servers --
 since for a couple of hundred dollars anyone can present you with any
 ID.

> A security mechanism that only works in the non-presense of
> fraudsters is no security mechanism at all.
> A KSP that depends on there being any pre-existing trust to abuse is
> *completely worthless* as a KSP whether or not that trust is abused
> or not.
>
        You just dismissed signing PKA keys by individuals.  There is
 no way that an individual with access to official records can
 determine if a particular passport is a "test" passport or not.

On 30 May 2006, Steve Langasek said:

> On Tue, May 30, 2006 at 06:28:32AM -0500, Manoj Srivastava wrote:
>> Nothing that a general software developer can do to check an ID is
>> proof against a determined individual, we all assume that there is
>> a gentleman's agreement in place that such an attack is not
>> mounted.
>
> I assume no such thing.  I maintain a healthy degree of skepticism
> regarding the true motives and identities of everyone, including
> those whose keys I've signed.  It just doesn't interfere with my
> ability to work with people in advancement of Debian's goals,
> because I recognize that statistically it can't *matter*: assuming
> the worst about people is no better than assuming the best, because
> it basically requires throwing away all collaboration in a project
> like this in spite of the fact that in over 10 years of Debian's
> existence 

        In other words, in 10 years of Debian's existence, no one has
 violated the trust, so now you expect people not to bring in
 passports from Bubba.  I agree. We have 10  years of history of
 people not violating the gentlemen's agreement that we are aware of.

> In other better words, Bubba is known to sell forgeries, but the
> Transnational Republic is not known to sell them.

        You might have a trust path to such information. I am pretty
 sure I do not.  I see little difference between Bubba's Transnational
 Republic ID's and Transnational Republic's ID's that say
 Transnational Republic, given the knowledge I currently possess.

        manoj

-- 
Isn't air travel wonderful?  Breakfast in London, dinner in New York,
luggage in Brazil.
Manoj Srivastava   <srivasta@debian.org>  <http://www.debian.org/%7Esrivasta/>
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C