Re: Why are in-person meetings required for the debian keyring?
On 2015-02-12 21:11, Russ Allbery wrote:
> Christian Kastner <debian@kvr.at> writes:
>
>> And I maintain that those people cannot be trusted with unrestricted
>> upload rights to the archive. That person-noone-has-ever-met but
>> occasionally-prepares-and-uploads-packages could just be a well
>> motivated person (or a group of people -- who knows?) hoping to
>> eventually compromise a popluar OS such as Debian, with zero risk of
>> personal consequences, or criminal prosecution.
>
> I think the point is that so could the person who showed up at DebConf.
> Once you start postulating a sufficiently motivated attacker that they
> would be willing to take the time to establish a contribution track record
> and go through the NM process, showing up at DebConf with a forged ID is
> not increasing the difficulty of the attack by very much, nor is it
> increasing the risk by all that much.
I of course agree with the first part, but I have to disagree with the
last sentence: I think it does increase the risk for the attacker.
Because even if the ID is fake, I still have seen a person, and a face,
I could describe. I could point out that person to others at next
DebConf. I could describe the person to the authorities (faking IDs is a
criminal offense, and in the case of a compromise, many countries also
have cybersecurity laws). That puts the attacker at least at some risk.
I'm aware that attackers may exist who might not be deterred even by the
above, but to me, those are at the other end of the spectrum. I do
believe the current personal verification policy presents an effective
deterrent to more common types of attackers.
Regards,
Christian
Reply to: