Re: Why are in-person meetings required for the debian keyring?

To: debian-project@lists.debian.org
Subject: Re: Why are in-person meetings required for the debian keyring?
From: Nikolaus Rath <Nikolaus@rath.org>
Date: Thu, 12 Feb 2015 11:31:08 -0800
Message-id: <[🔎] 87zj8jork3.fsf@thinkpad.rath.org>
Mail-followup-to: debian-project@lists.debian.org
References: <[🔎] 87r3twgsvb.fsf@thinkpad.rath.org> <[🔎] 20150212185724.GA17464@virgil.dodds.net>

Steve Langasek <vorlon@debian.org> writes:
> On Wed, Feb 11, 2015 at 11:17:44AM -0800, Nikolaus Rath wrote:
>> I'm a little confused about the need to meet in-person to get a
>> signature that's acceptable for the Debian keyring.
>
>> I believe that Debian packages are signed on upload to ensure that they
>> have been prepared by a Debian Developer, because Debian Developers are
>> assumed to be trustworthy.
>
>> However, it seems to me that meeting someone in person isn't actually
>> verifying the relevant identity here. My trust in a Debian developer is
>> not based on him holding a particular legal name, it is in his history
>> of contributions. In other words: just because I'm sure about someone's
>> legal name, I wouldn't trust him to run code on my computer. But if
>> someone has been contributing to Debian for 5 years with a specific GPG
>> key, I'd probably trust him to prepare a package no matter if the name
>> associated with the GPG key actually corresponds to some legal identity
>> or not.
>
>> Following that argument, I think a key should be signed and included in
>> the Debian keyring if it (the key) has a history of high quality
>> contributions. Meeting the keyholder in person to look at his passport
>> doesn't seem to add anything of particular value here. Why would I care
>> under what name he has been contributing?
>
>> Am I missing something?
>
> I'm surprised no one else has brought up this point yet: part of the reason
> for using cryptographic PKI (web of trust; SSL CAs; etc) is to eliminate
> man-in-the-middle attacks.
>
> If you haven't met and exchanged keys in person, then how do you know that
> there isn't a man in the middle?
>
> I think recent revelations regarding the systematic compromising of the
> Internet by governments show that this isn't a tinfoil question.  It is
> conceivable that an attacker would be able to intercept all PGP-signed
> communications from a target, replacing all signatures with signatures by
> their own key and thereby creating an unwitting sleeper agent.

In that treat model, don't you have to assume that the attacker also has
means to get a forged id and could also intercept (and modify) the
arrangement of the in-person-meeting (so that the key signers never meet
each other, but each meet with an attacker)?

Also, wouldn't the person being impersonated notice when his mailing
list messages aren't signed by his key?


You are right, requiring in-person-meetings does make it harder for an
attacker. But it seems to me that if an attacker is able to overcome the
defenses that exist without an in-person meeting, he isn't going to have
trouble dealing with an in-person meeting either. In other words, adding
the in-person meeting increases security, but doesn't actually exclude
any class of attackers that isn't already excluded.

Best,
-Nikolaus

-- 
GPG encrypted emails preferred. Key id: 0xD113FCAC3C4E599F
Fingerprint: ED31 791B 2C5C 1613 AF38 8B8A D113 FCAC 3C4E 599F

             »Time flies like an arrow, fruit flies like a Banana.«

Reply to:

References:
- Why are in-person meetings required for the debian keyring?
  - From: Nikolaus Rath <Nikolaus@rath.org>
- Re: Why are in-person meetings required for the debian keyring?
  - From: Steve Langasek <vorlon@debian.org>

Prev by Date: Re: Why are in-person meetings required for the debian keyring?
Next by Date: Re: Why are in-person meetings required for the debian keyring?
Previous by thread: Re: Why are in-person meetings required for the debian keyring?
Next by thread: Re: Why are in-person meetings required for the debian keyring?
Index(es):
- Date
- Thread