On Fri, Jul 30, 1999 at 08:32:23AM -0500, Jor-el wrote: > Scenery is here, wish you were beautiful. wish you were a little less (not much though) paranoid.. =p > Actually, there could be a possible reason for this if the > rejection criteria applied by the new-maintainers group is applied at the > key-signing level. Suppose there is a person whose qualities make him / > her unacceptable to Debian so that the new-maintainers group would reject > this persons membership. In which case, this person gets a proxy to do > a key signed (you would be verifying the proxy's id and the proxy has no > intention of using the key you sign). After the PGP key is in a trusted > position, the person using the PGP key can cause all the damage that he / > she wants do. Now ... You are missing something here. Not only must you, a signing developer, decide that a person is really who they claim to be, but the developer then has to talk to one of the new maintainer team members directly... This is really key because a proxy is going to either be a disgruntled developer, another who wishes to become a developer and already knows things, or they aren't going to know the right answers to the right questions when James or Joey starts asking. Further, as I have said already, I personally do not trust my own ID. It's too easily stolen and makeup could have a person look even enough like me to pass the picture comparison. If the person is able to write with their left hand and practices a few times, they could probably write my signature in a way that would be passing to the average eye. And how many places don't even check for picture ID? All they want are a couple of numbers and compare your name to them. Anybody who has a check I have written and happens to get my ID card can find out lots of info as to my bank account for example, just by dialing a 1-800 number that HAPPENS to be right on the check! There is no form of existing physical ID that can really be considered proof positive that the person standing in front of you is who they claim. None. HOWEVER, you can be sure that the key which signs this message belongs to the same person who just uploaded a quick bugfix for logrotate a few moments ago. I am RSA 2048/50BDA0ED - E8D68481E3A8BB778EE22996C9445FBE and I am DSA 1024/DCF9DAB3 or ElGammal 2048/3F9C2A43 - 20F62261F1857A3E79 FC44F98FF7D7A3DCF9DAB3. That much you can be certain of. My name may be Joseph Carter, Thomas J Carter, Knghtbrd, or Bozo the Clown---that doesn't matter in the least. You KNOW I am those numbers. Given that names are not unique and neither are aliases (as evidenced by watching efnet script kiddies fighting over them), there may be other keys out there with my name on them. That's why keys usually also feature an email address. But the numbers in that combination with "Joseph Carter <knghtbrd@debian.org>" attached, THOSE are unique. > If you think that the proxy wouldnt do this because of possible > repercussions to the proxy, let me point out that id's of the level to > fool non-law-enforcement people are not that hard to make. If you are > looking at a US drivers license, do you automatically check for the > holographic image to see if it is valid? Do you know the difference > between a fake foreign passport and a valid one? > > I think Debian is taking too much on trust. But then, I dont see a > way to resolve this either. Given the fact that there are so few of us (in > relation to the rest of the world), tightening up security could choke the > new membership pipeline to the extent that Debian could decay in four or > five years. The trust isn't in pgp keys and their owners ... The trust is lost that anybody with a key on our keyring can upload any package, anytime, and chances are good nobody would notice something nasty slipped in. This means one shmuck with his birthdate as a passphrase who nfs mounts /home where it can be read by the outside world accidentally could cause the whole distribution lots of grief when someone figures out what they did by portscanning everyone joining #debian ... -- Joseph Carter <knghtbrd@debian.org> Debian GNU/Linux developer GnuPG: 2048g/3F9C2A43 - 20F6 2261 F185 7A3E 79FC 44F9 8FF7 D7A3 DCF9 DAB3 PGP 2.6: 2048R/50BDA0ED - E8 D6 84 81 E3 A8 BB 77 8E E2 29 96 C9 44 5F BE -------------------------------------------------------------------------- "my biggest problem with RH (and especially RH contrib packages) is that they DON'T have anything like our policy. That's one of the main reasons why their packages are so crappy and broken. Debian has the teamwork side of building a distribution down to a fine art."
Attachment:
pgpL4CjACWWDc.pgp
Description: PGP signature