Re: Why are in-person meetings required for the debian keyring?

To: debian-project@lists.debian.org
Subject: Re: Why are in-person meetings required for the debian keyring?
From: Tollef Fog Heen <tfheen@err.no>
Date: Fri, 13 Feb 2015 13:38:43 +0100
Message-id: <[🔎] 87mw4i6l64.fsf@xoog.err.no>
Mail-followup-to: debian-project@lists.debian.org
In-reply-to: <[🔎] 87mw4iao0v.fsf@hope.eyrie.org> (Russ Allbery's message of "Thu, 12 Feb 2015 12:11:12 -0800")
References: <[🔎] 87r3twgsvb.fsf@thinkpad.rath.org> <[🔎] 87twysi3rt.fsf@hands.com> <[🔎] 20150211204508.GA24789@helios.pault.ag> <[🔎] 54DC0AFB.8090302@kvr.at> <[🔎] 87bnkzqc73.fsf@thinkpad.rath.org> <[🔎] 54DD054B.9020709@kvr.at> <[🔎] 87mw4iao0v.fsf@hope.eyrie.org>

]] Russ Allbery 

> Christian Kastner <debian@kvr.at> writes:
> 
> > And I maintain that those people cannot be trusted with unrestricted
> > upload rights to the archive. That person-noone-has-ever-met but
> > occasionally-prepares-and-uploads-packages could just be a well
> > motivated person (or a group of people -- who knows?) hoping to
> > eventually compromise a popluar OS such as Debian, with zero risk of
> > personal consequences, or criminal prosecution.
> 
> I think the point is that so could the person who showed up at DebConf.
> Once you start postulating a sufficiently motivated attacker that they
> would be willing to take the time to establish a contribution track record
> and go through the NM process, showing up at DebConf with a forged ID is
> not increasing the difficulty of the attack by very much, nor is it
> increasing the risk by all that much.

And, some of us don't check ID for all keysignings.  If you are acting
as if you're $person for years and appear to be that person when I
interact with you (and talk about stuff we've worked on or whatever),
I'm quite likely to sign your key based on that: I would have verified
your identify against who you claim to be in Debian.

There are certainly possible attacks here, but do we realistically think
we're going to protect ourselves against a competent attacker willing to
put 3-6-12 months of full-time effort into becoming a DD and getting
access? I don't think we do, and if we did, we'd have no volunteers able
to get past the threshold.

-- 
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are

Reply to:

Follow-Ups:
- Re: Why are in-person meetings required for the debian keyring?
  - From: Christian Kastner <debian@kvr.at>

References:
- Why are in-person meetings required for the debian keyring?
  - From: Nikolaus Rath <Nikolaus@rath.org>
- Re: Why are in-person meetings required for the debian keyring?
  - From: Philip Hands <phil@hands.com>
- Re: Why are in-person meetings required for the debian keyring?
  - From: Paul Tagliamonte <paultag@debian.org>
- Re: Why are in-person meetings required for the debian keyring?
  - From: Christian Kastner <debian@kvr.at>
- Re: Why are in-person meetings required for the debian keyring?
  - From: Nikolaus Rath <Nikolaus@rath.org>
- Re: Why are in-person meetings required for the debian keyring?
  - From: Christian Kastner <debian@kvr.at>
- Re: Why are in-person meetings required for the debian keyring?
  - From: Russ Allbery <rra@debian.org>

Prev by Date: Re: Mentoring of the Month for woman
Next by Date: Re: Why are in-person meetings required for the debian keyring?
Previous by thread: Re: Why are in-person meetings required for the debian keyring?
Next by thread: Re: Why are in-person meetings required for the debian keyring?
Index(es):
- Date
- Thread