Re: Keysigning via Video Conferencing
On Jun 22 2016, Gunnar Wolf <gwolf@debian.org> wrote:
> Nikolaus Rath dijo [Wed, Jun 22, 2016 at 07:58:43AM -0700]:
>> > Now, I have said this too many times, but once more: As keyring-maint,
>> > we are not collecting samples of people showing valid-looking ID
>> > documents to others. This is one of the issues why we don't have
>> > long-queue key signing parties: Just checking the ID of a complete
>> > stranger is not real identity validation.
>> >
>> > My personal guideline is that I will sign your key if and only if I
>> > see your face and can think of your name, and the opposite way
>> > around.
>>
>> Hmm. Can you explain that in a little more detail?
>>
>> As I understand, we'll have to meet a few times for beer until we
>> remember each others name, and then we sign keys - without ever having
>> verified if we've actually given our legal name.
>
> Yes, I try to keep that as a guideline. Of course, were you to come to
> Mexico and meet me, or where I to travel to wherever you live, if we
> agree to meet for a beer or so and have a couple of hours chatting
> about what we do and want in Debian or in life... I guess I'd have a
> much better recollection on your face than if we had met at a massive
> key-signing party.
>
> In said case, however, I would resort to verifying your identity on
> some official-looking papers. It is not what *I* regard as best, but
> it's the closest available. Living over 1000Km from the nearest DD, I
> know firsthand that some people can have a hard time getting
> signatures, and I will be flexible if needed. But those special cases
> will more probably "make it" to my long-term memory.
>
>> I'm a little confused as to what sort of malicious activity this is
>> intended to stop/make more difficult...?
>
> I want to ensure people actually are known by the identity I sign. The
> best way to do it is to interact in their social circle and know other
> people that trust this person's identity. Of course, that's often
> impossible.
>
> A second-best would be to meet you repeatedly throughout some time
> period, with you having the same identity. That's what I do most of
> the time: I know the names or pseudonyms of people in Debian and in my
> local LUGs. I will sign according to those.
>
> Government-issued IDs are, IMO, a distant third.
>
> What can a malicious user do? Say, you detect that Foob Arski is a MIA
> Debian Developer and his mail address bounces. I can point you to
> several places in my city where you can print genuine-looking fake
> IDs. Get a drivers license or so going by Foob's name, come to me,
> I'll sign your key. Do the same with one other DD. Then ask DAM to
> change your mail in db.debian.org, and ask keyring-maint to change
> your GPG key. There, you have successfully impersonated a MIA DD, and
> got upload, machine usage and voting rights in Debian.
But how is your policy preventing this? Instead of getting the fake
drivers license, I'd just meet with you a couple of times, chat about my
supposed Debian work, and eventually get the signature as well.
Best,
-Nikolaus
--
GPG encrypted emails preferred. Key id: 0xD113FCAC3C4E599F
Fingerprint: ED31 791B 2C5C 1613 AF38 8B8A D113 FCAC 3C4E 599F
»Time flies like an arrow, fruit flies like a Banana.«
Reply to: