Re: [Debconf-discuss] GPG keysigning?
On Mon, Jun 22 2009, martin f krafft wrote:
> Does it matter whether I have a passport that carries my name, or
> whether the name on my key, with which I consistently identify
> myself in Debian, is actually my own name? Why would anyone care?
This is getting silly enough that we probably want to back off a
bit and examine what we really want to do here.
So, I see a reason for having a gpg sig signed by other people
is accountability: we want to tie a online persona to a real person in
some way (if not, there is no point in signing keys; you just make
every contributor sign with whatever keys they want, and just let that
key owner build up a trust in their competence/integrity/homage to the
holy penguin pee/whatever.
You can send in your own signed message saying you have known
the work signed by key foo for years, and you trust the owner of that
key to turn in goodly work, and you think the owner of that key has the
technical chops to belong to Debian, whatever. The key owner, of they
change their key, will lose a lot of that trust the old key built,
unless they can prove the new key owner is the same as the old key
owner -- which means that we need to tie the keys together somehow. Of
course, an interesting means of doing so is to somehow tie the key to a
real person (heh).
This is all that is really needed for the integrity/trust of the
work produced by a keys owner.
However, if you want to tie that key owner to a real person, to
somehow (my speculation) bring down the wrath on the community on
someone who does something nasty or subverts the DMUP or causes the FSM
to weep, well, you need the meet and greet and key signing
stuff. Smiting evil dooers seems to be the major cause that justifies
this exerciser, since otherwise the person can just dump their key,
change their email, and get away scot free. Hard to smite them then.
Now really, we want to tie the key to a person -- even if they
resleeve (a. la. Altered Carbon, [0]). Thankfully, releeving is not
(yet) possible, so we don't have to deal with that. All we have to do
is to tie a key to a real live person, and do it in a fashion that is
reproducible and testable.
Traditionally, you establish identity for a person by one or
more of:
A) Something they (and only they) have. This is previously issued
tokens of some kind (passports, id cards, secure tokens,
etc). There are three things needed to make this even the least bit
reliable:
1) You need to trust the process of deploying the thing they have;
someone must establish in some manner who the person is, before
the token is given out
2) The token should not be easily duplicated, stolen, and
reused. This requires some care on the part of the token holder
3) You can actually verify that the token is genuine and decipher
who the token was issued to without being spoofed.
B) Something that the person is. Biometrics, etc. Again, the caveats
apply about spoofing, and trusting you know what it is that the
person is supposed to be (is it really Mr X's retina scan I am
trying to match?)
C) Something they know. Shared secrets, passwords, knowledge of
events past you and the person knows, and no one else could.
Madduck seems to put a whole lot of unjustified confidence in C)
above. You might think you know the person pretending to be Mr X, but
really, most of us at debconf have done little to verify C to any
degree of reliability. If all you can say is that person owns that
email address, why are you even bothering to have a signing party? You
don't need it to ascertain that a key owner controls an email address
by some other persons signature; just send a encrypted message to that
email address and ask for a reply. Done.
So, A. Now, most countries where people are allowed to come to
my country from have to demonstrate a process by which they issue
travel documents to their citizens, and I have established for myself
that if it meets the State departments needs, then !.1 is satisfied
for me.
A.2 is somewhat harder, but being careless about your travel
documents has real world consequences, and most countries whose
citizens can travel to mine have made travel docs hard to
duplicate. Not impossible, but hard.
A.3 seems to be the part which receives most criticism; I can
surely be spoofed by a well forged travel document. But it does raise
the bar for someone who needs my signature, and I think it meets my
threshold of return on effort to sign the key, and put a modicum of
trust in the assertion that we have nailed that key to a real human
being.
So while signing keys is not about governments, as Russ said, it
is about establishing identity, and government issued identity
documents are better proxies for establishing that than I can be
bothered to do myself.
And, on my day job, people will fall over laughing about basing
identity on what someone says often enough over a period of time with
no further checks. And yes, my tummy still hurts.
manoj
[0]: http://www.goodreads.com/book/show/40445.Altered_Carbon
--
Subtlety is the art of saying what you think and getting out of the way
before it is understood.
Manoj Srivastava <srivasta@acm.org> <http://www.golden-gryphon.com/>
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
Reply to: