Re: [Debconf-discuss] GPG keysigning?
Manoj Srivastava wrote:
On Tue, Jun 23 2009, Giacomo A. Catenazzi wrote:
I think you miss an important item: people with the same name. In my
small town, I know a lot of people with same name (first and surname).
In linux community we have three different Alax Cox.
Right. But you never sign just a name; you sign an gpg user id,
which is associated with an email, or a picture, and you check the
person owns the email, right? Right?
Me, I usually don't sign a key unless I can ensure that the
owner of the email address knows a shared secret we shared at the
keysigning. Admittedly, this is a minor attack vector: if Eve knows
Alice's secret key and passphrase, has control of one of the email
addresses, and Alice does not, then Eve will not get the new signature,
since she does not know the secret I shared with Alice. This is
probably not a vector worth thinking about, I might just start using
caff instead.
PGP identity uses normally a email like identity (name and email
address), so your point A reduce the set of possible person that can
misuses identity check, but ... on security terminology this is called
false security which is normally worse than no-security (people will
trust wrong thing).
I fail to see this. When we sign keys, the accepted minimal
convention is to use caff, which ensures the signature is propagated
only if the person whose identity you verified (by whatever criteria you
select) owns the id; or whose real life face matches their picture
ID.
But from the thread it was given too much emphasis on identity (like
name and surname), which is IMO dangerous. A name cannot identify
uniquely a person (or her keys).
So no, I do not think I missed this item; I just assumed that
everyone used a minimal email check before handing out signatures.
Ok, I "misunderstood" your mail: I was thinking you put to much
weight only on official document (passport etc.).
I totally agree with you, we need to verify the email addresses
(along the identity).
Web of trust is evil! I think debian should reframe the problem and
use GPG only for limited scopes (upload and sign), identified by key
ID. Debian could build an intern web of trust (checking mail and
identity, with own extra rules).
My goodness. These are extra rules now?
This is dismaying, and engenders misgivings about the value of
your signatures.
Ok. I went to the extreme (we should not trust on names), which is also
wrong.
I meant: the way to break the web of trust are too easy, some are
malicious/educative like Martin's one, some real errors and
misunderstanding of GPG. Each error diminishes the value of
web-of-trust.
So we need a Debian procedure for a strong web-of-trust which it
is easy and reduce errors and misconceptions at minimum. Actual
debconf keysigning parties have problems, OTOH we need signatures.
We need to set one (or two bars). I don't think that only personal
assessment on signature is good.
[Note: debian trusts keys in a different way compared to GPG (e.g.
disconnected keys)]
OTOH in the general web-of-trust, every person has own rules
(some IMO too weak some IMO too strong) and every person assesses
trustiness of other people, which cannot be enough to trust
new NM.
ciao
cate
Reply to: