Re: Please revoke your signatures from Martin Kraff's keys
On Thu, Jun 01, 2006 at 12:41:52AM +0200, Javier Fernández-Sanguino Peña wrote:
> On Mon, May 29, 2006 at 02:48:33PM +0200, Wouter Verhelst wrote:
> > Then there's the issue of tracing who did an actual upload into the real
> > world. A name on a GPG key is not, by any means, an effective way to do
> > that, since it does not contain enough information to get out the black
> > helicopters. Case in point:
> Useless case, you seem to believe that police officers can only trace and
> obtain information from people through Google !
No, I don't. I'm just saying that the name tacked to a GPG key is of far
less useful value than the email address which is tacked to the same.
> I do not know how many cases related to "digital crimes" have you been
> involved with or know of,
Not many, I'll admit.
> so please allow me to enlighten you how it could
> possiby work:
> - somebody named X gets a trojan in the Debian archive through a GPG key
> - SPI (not Debian as it does not have a legal entity in itself) brings the
> case to a law agency claiming that X has committed a crime
> - the Police traces X to A, B and C (same names != same people)
> - the Police gathers evidence that A and B *might* be in possession of the
> GPG key and might have done the attack (this includes things like
> information from ISPs linking a telecommunications contract to a name, data
> from their communication either publicly available or requested to ISPs or
There, here we are. You've admitted that just the name isn't enough and
that the police needs more, which was my whole point.
If they have a name which might be valid but an email address which is,
I think they have a far better chance at finding the person responsible
than if they have an email address which might be valid but a name which
Fun will now commence
-- Seven Of Nine, "Ashes to Ashes", stardate 53679.4