Re: Why are in-person meetings required for the debian keyring?
]] Russ Allbery
> Christian Kastner <debian@kvr.at> writes:
>
> > And I maintain that those people cannot be trusted with unrestricted
> > upload rights to the archive. That person-noone-has-ever-met but
> > occasionally-prepares-and-uploads-packages could just be a well
> > motivated person (or a group of people -- who knows?) hoping to
> > eventually compromise a popluar OS such as Debian, with zero risk of
> > personal consequences, or criminal prosecution.
>
> I think the point is that so could the person who showed up at DebConf.
> Once you start postulating a sufficiently motivated attacker that they
> would be willing to take the time to establish a contribution track record
> and go through the NM process, showing up at DebConf with a forged ID is
> not increasing the difficulty of the attack by very much, nor is it
> increasing the risk by all that much.
And, some of us don't check ID for all keysignings. If you are acting
as if you're $person for years and appear to be that person when I
interact with you (and talk about stuff we've worked on or whatever),
I'm quite likely to sign your key based on that: I would have verified
your identify against who you claim to be in Debian.
There are certainly possible attacks here, but do we realistically think
we're going to protect ourselves against a competent attacker willing to
put 3-6-12 months of full-time effort into becoming a DD and getting
access? I don't think we do, and if we did, we'd have no volunteers able
to get past the threshold.
--
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are
Reply to: