On Wed, Feb 11, 2015 at 11:17:44AM -0800, Nikolaus Rath wrote: > I'm a little confused about the need to meet in-person to get a > signature that's acceptable for the Debian keyring. > I believe that Debian packages are signed on upload to ensure that they > have been prepared by a Debian Developer, because Debian Developers are > assumed to be trustworthy. > However, it seems to me that meeting someone in person isn't actually > verifying the relevant identity here. My trust in a Debian developer is > not based on him holding a particular legal name, it is in his history > of contributions. In other words: just because I'm sure about someone's > legal name, I wouldn't trust him to run code on my computer. But if > someone has been contributing to Debian for 5 years with a specific GPG > key, I'd probably trust him to prepare a package no matter if the name > associated with the GPG key actually corresponds to some legal identity > or not. > Following that argument, I think a key should be signed and included in > the Debian keyring if it (the key) has a history of high quality > contributions. Meeting the keyholder in person to look at his passport > doesn't seem to add anything of particular value here. Why would I care > under what name he has been contributing? > Am I missing something? I'm surprised no one else has brought up this point yet: part of the reason for using cryptographic PKI (web of trust; SSL CAs; etc) is to eliminate man-in-the-middle attacks. If you haven't met and exchanged keys in person, then how do you know that there isn't a man in the middle? I think recent revelations regarding the systematic compromising of the Internet by governments show that this isn't a tinfoil question. It is conceivable that an attacker would be able to intercept all PGP-signed communications from a target, replacing all signatures with signatures by their own key and thereby creating an unwitting sleeper agent. Given that you want direct exchange of fingerprints via an in-person meeting anyway, the additional verification of a state-recognized identity is only incrementally more inconvenient, and it does provide protection against additional forms of attack on the project. You may only care that the key belongs to the person who has been doing the work; others of us also care that we have some measure of protection against one of these people going rogue and causing millions of dollars of damage to our users. Debian is a high-stakes target. Checking state-issued IDs isn't a perfect guard against infiltration, but it seems to be the best we've come up with so far. People who complain about the value of ID checks never seem to offer anything *better*, they only propose eliminating them and weakening our standards. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ slangasek@ubuntu.com vorlon@debian.org
Attachment:
signature.asc
Description: Digital signature