Re: Keysigning via Video Conferencing

To: debian-devel@lists.debian.org
Subject: Re: Keysigning via Video Conferencing
From: Gunnar Wolf <gwolf@debian.org>
Date: Wed, 22 Jun 2016 13:30:03 -0500
Message-id: <[🔎] 20160622183002.GH87809@gwolf.org>
In-reply-to: <[🔎] 878txxs21o.fsf@vostro.rath.org>
References: <[🔎] 1466389917.10585.34.camel@debian.org> <[🔎] 20160622035733.GH83270@gwolf.org> <[🔎] 878txxs21o.fsf@vostro.rath.org>

Nikolaus Rath dijo [Wed, Jun 22, 2016 at 07:58:43AM -0700]:
> > Now, I have said this too many times, but once more: As keyring-maint,
> > we are not collecting samples of people showing valid-looking ID
> > documents to others. This is one of the issues why we don't have
> > long-queue key signing parties: Just checking the ID of a complete
> > stranger is not real identity validation.
> >
> > My personal guideline is that I will sign your key if and only if I
> > see your face and can think of your name, and the opposite way
> > around.
> 
> Hmm. Can you explain that in a little more detail?
> 
> As I understand, we'll have to meet a few times for beer until we
> remember each others name, and then we sign keys - without ever having
> verified if we've actually given our legal name.

Yes, I try to keep that as a guideline. Of course, were you to come to
Mexico and meet me, or where I to travel to wherever you live, if we
agree to meet for a beer or so and have a couple of hours chatting
about what we do and want in Debian or in life... I guess I'd have a
much better recollection on your face than if we had met at a massive
key-signing party.

In said case, however, I would resort to verifying your identity on
some official-looking papers. It is not what *I* regard as best, but
it's the closest available. Living over 1000Km from the nearest DD, I
know firsthand that some people can have a hard time getting
signatures, and I will be flexible if needed. But those special cases
will more probably "make it" to my long-term memory.

> I'm a little confused as to what sort of malicious activity this is
> intended to stop/make more difficult...? 

I want to ensure people actually are known by the identity I sign. The
best way to do it is to interact in their social circle and know other
people that trust this person's identity. Of course, that's often
impossible.

A second-best would be to meet you repeatedly throughout some time
period, with you having the same identity. That's what I do most of
the time: I know the names or pseudonyms of people in Debian and in my
local LUGs. I will sign according to those.

Government-issued IDs are, IMO, a distant third.

What can a malicious user do? Say, you detect that Foob Arski is a MIA
Debian Developer and his mail address bounces. I can point you to
several places in my city where you can print genuine-looking fake
IDs. Get a drivers license or so going by Foob's name, come to me,
I'll sign your key. Do the same with one other DD. Then ask DAM to
change your mail in db.debian.org, and ask keyring-maint to change
your GPG key. There, you have successfully impersonated a MIA DD, and
got upload, machine usage and voting rights in Debian.

Reply to:

Follow-Ups:
- Re: Keysigning via Video Conferencing
  - From: Nikolaus Rath <Nikolaus@rath.org>

References:
- Keysigning via Video Conferencing
  - From: Jason Thomas <jason@debian.org>
- Re: Keysigning via Video Conferencing
  - From: Gunnar Wolf <gwolf@debian.org>
- Re: Keysigning via Video Conferencing
  - From: Nikolaus Rath <Nikolaus@rath.org>

Prev by Date: Re: opinions of snappy packages
Next by Date: Re: Keysigning via Video Conferencing
Previous by thread: Re: Keysigning via Video Conferencing
Next by thread: Re: Keysigning via Video Conferencing
Index(es):
- Date
- Thread