On Tue, Sep 17, 2002 at 06:00:08PM -0500, Steve Langasek wrote: > On Tue, Sep 17, 2002 at 04:36:39PM -0600, Joel Baker wrote: > > > > A $50 kit isn't going to get you a disguise to believably mask the facial > > > features that are most important in identifying people through such > > > things as police sketches. $60 may get you a fake ID from a neighboring > > > state, but the whole point is to tighten the web enough so that > > > keysigners ARE familiar with the forms of IDs applicants use. There are > > > enough risks with trying to conceal one's identity in a face-to-face > > > meeting that stealing a key is probably easier[0]... and that's a sign > > > that we're doing things right, IMHO. > > > Don't do much theater work, do you? $50 of supplies is more than sufficient > > (as, in the amount used). I did specify a few hundred, if you must buy a > > complete set of the necessary materials (and will have quite a bit left > > over). > > Actually, I have done some theater work, and not many stage makeup jobs > I've seen are seamless enough (even setting aside the fact that stage > makeup is intended for much different lighting conditions) to pass for > real flesh up close. To pull that off requires a lot more than just $50 > in supplies, it requires a serious investment of time. If someone's > *that dedicated*, we're probably not going to keep them out no matter > what. But that's not a casual attack. Our system should be good enough > to keep out casual attackers. And there is theatrical makeup specifically for "up close" work, too. Street theater, etc. I assert that the people with the skills to make a believeable ID *and* pass the Debian skills checks *and* convince someone to let them use a signed ID is sufficient to keep out 'casual' attackers, and that beyond casual, as you note, we cannot defend against it. > > What do you risk, anyway? Unless the DD also happens to be a LEO, or > > suspects foul play beforehand and arranges for one... there isn't a lot > > they can do. You go away and try it again somewhere else. All that's really > > risked is time and possibly some money. > > You think someone who'd already been caught out once would try *again* > when the community is abuzz with the news that someone tried to > infiltrate Debian? :) Why not? It's not like keysigning would stop; they wouldn't, if they were smart, try it in the same area again anytime soon, but there's no reason to assume that getting caught once means they go away. > If you wear a disguise while lying your way into the keyring, the danger > is that your peer will notice. If you don't wear a disguise, the danger > is that once you've gotten in and done the damage, there's someone who > can describe you to the authorities. Anyone who tries to pull off a > deception in light of these risks is either good enough that we'll never > catch them, or foolish enough that the one physical meeting is likely to > be enough to let us catch them. In contrast, creating an Internet > persona and doing some Photoshop work is VERY low-risk, especially for > the type of casual attacker most likely to have the skillset to try to > infiltrate the project -- namely, a script kiddie. I assert that the physical meeting is not necessarily to catching them, and that the average script kiddie will still have problems passing the various checks. However, we've now gone in circles for 2-3 rounds, and I don't think either of us is going to convince the other. The method appears to be used sufficiently often that folks probably need to decide whether they are willing to lose potential developers over it by restricting it to basically being a no-go. Since, after all, the only verification that someone *can't* meet a DD for a keysigning is their word - so if you allow it *at all*, you must assume someone trying to go that route can lie convincingly enough to get someone to allow it. Having a weak link that isn't used often remains a weak link, and limits the security of the process overall, for exactly those reasons - an active attack *will* seek to compromise that weak link. If you're not going to prohibit photo ID signatures entirely, there is little reason to avoid using them any time it is problematic. I have to assume that the exemption is there specifically because the origional process decided that the risk was acceptable, in the name of gaining DDs. -- *************************************************************************** Joel Baker System Administrator - lightbearer.com lucifer@lightbearer.com http://users.lightbearer.com/lucifer/
Attachment:
pgpLluJA6qYXC.pgp
Description: PGP signature