On Fri, Feb 13, 2015 at 09:19:29AM +1000, Russell Stuart wrote: > On Thu, 2015-02-12 at 10:57 -0800, Steve Langasek wrote: > > I'm surprised no one else has brought up this point yet: part of the reason > > for using cryptographic PKI (web of trust; SSL CAs; etc) is to eliminate > > man-in-the-middle attacks. > Ah, but you see that is one of the beauties of proof of work. It is > almost immune to MITM attacks. No, your so-called "proof of work" provides no protection at all against the MITM attack I outlined. > You are saying a personal meeting enhances security, so lets perform a > thought experiment. Lets remove the existing parts of system that are > proof of work, and instead rely exclusively on the WoT. To do that we > will no longer insist people sign their application email. Instead once > they are accepted the Debian keyring maintainers pull the key associated > with the email address off the key servers, and verify it is signed by two > DD's - ie just use the WoT to authenticate the GPG key. This is a nonsensical strawman that proves nothing about whether ID checks improve the security of Debian's web of trust. Understanding why it's nonsensical is left as an exercise for the reader. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ slangasek@ubuntu.com vorlon@debian.org
Attachment:
signature.asc
Description: Digital signature