On Wed, 2015-02-11 at 11:17 -0800, Nikolaus Rath wrote: > I'm a little confused about the need to meet in-person to get a > signature that's acceptable for the Debian keyring. > > I believe that Debian packages are signed on upload to ensure that they > have been prepared by a Debian Developer, because Debian Developers are > assumed to be trustworthy. > > However, it seems to me that meeting someone in person isn't actually > verifying the relevant identity here. My trust in a Debian developer is > not based on him holding a particular legal name, it is in his history > of contributions. I agree. The problem is in the details. How do you prove all those contributions came from that key? Really the only way to prove it is to have that long history signed by the key that wants to become a DD. The issue is very few people sign all their interactions with Debian - certainly not in the beginning. Worse, there are people (and some current DD's) who strongly objected on this list to doing it. But yes, if it were available I agree it's far more secure than the procedures we have now, and I'd like to see Debian's procedure changed to treat such history with at least equal weight to getting your key signed by a DD. The reason is that history is a "proof of work". It's a well known and remarkably strong way of authenticating something. Currently the best known deployment of it in is Bitcoin which uses it as the foundation for block chain security. The weakness of the current method is shown by one of the responses given here: On Wed, 2015-02-11 at 20:36 +0000, Philip Hands wrote: > The thing it's trying to add is some assurance that, if it were > necessary to eject someone from the project for whatever reason, that > it is at least moderately hard for them to sneak back in under a > different name. If it is indeed trying to do that, it fails miserably. A DD signing a key doesn't imply he is saying he is worthy of (re)inclusion into Debian, so nobody uses it as a criterion. If some random noob comes up to DD with a valid credentials and asks them to sign their key, its highly likely they will. At major conferences this happens en-mass at key signing parties(!) It fails in another aspect as well. If a person has been ejected from Debian, a "proof of work" system demands he does a lot of work before he can get back in. (In effect the real penalty that arose from being rejected is abandoning all the work that got him into the project in the first place.) As it happens, I can't imagine a better demonstration of the good faith Debian would need to re-admit him than building up another year or two of history of healthy contributions and good behaviour. Other methods fail in comparison. The WoT is in reality depressingly weak, weak to the point that Debian could replace it with an automated key signing service and get a net in security. The key signing service would accept signed requests to sign the GPG key that signed the request, and email the encrypted signature back to the email address the signature belonged to. (I've omitted a lot of details of thing you would need to make it really secure.) This is stronger than what we have now because of two major issues. A signature from someone you don't know only tells you two things: they checked the ID, and if they followed the rules the person who controls the private key is the true owner of the email address. But if I wanted to get a "fake" ID signed it's simple enough - go to a foreign country. They won't be familiar with your countries ID so you can provide them with anything that looks suitably official. Trust in the bond between the email address and signature is destroyed when a person signing keys does the "nice" thing and uploads the signature to the key servers, something newbies do depressingly often. This is not to say a WoT signature can't be strong. It's hard to imagine a better procedure than two people who know each other physically meeting, exchanging fingerprints, signing keys there and then and verifying their signature email arrives in the recipients inbox before they separate. I think people defend the WoT imagining everyone follows the that procedure to the letter, just like they do. Reality is different, so a you are reduced to trusting only signatures from people who, bless them, you are know to a complete pain in the arse because they are absolute sticklers for the rules. The other signatures are just noise. Gpg does provide mechanisms to deal with it (the concept of trust and its transitivity), but as anybody who has looked at the keyring knows they is so much noise even the people who are aware of the mechanism don't bother. Unfortunately cryptography is a strong as the weakest link, and in the WoT the weakest link is weaker than not having the key signed at all because a signature that doesn't exist doesn't introduce noise. Debian tries to get around this by insisting your key is signed by somebody it does "know" (ie, DD). Sadly, not all DD's are complete pains in the arse, and Debian security ends up being as weak as the weakest of them.
Attachment:
signature.asc
Description: This is a digitally signed message part