Re: Why are in-person meetings required for the debian keyring?

[Gunnar Wolf]

Christian Kastner dijo [Thu, Feb 12, 2015 at 10:30:16PM +0100]:
> > In my opinion, exactly the same applies for someone you've met. I think
> > it's a lot easier to get a forged id than to establish a history of
> > valuable contributions.
> 
> Well, it depends. A forged passport[1], if one even knows where to get
> it, will cost you thousands of dollars or euros, and would furthermore
> constitute a serious criminal offense. I wouldn't call that easy.

Hundreds of dollars here (depending on the degree of
"forgedness"). Passports good enough for international travel. Why?
Lets say that... I just happen to know ;-)

That's one of the reasons I don't care too much for government-issued
IDs. That's why I didn't ask you to provide me with one. But at the
same time, that's the reason why I (that happen to be a terrible
physionomist and often don't recognize people) cared enough to pay
attention to who is who, remember where we had lunch and what we
talked about, and can reasonably describe your face. Of course, that's
the reason I signed your key. That's also, however, why I didn't sign
some people's keys: If I don't recall enough details about a person to
satisfy my personal validation, I won't sign.

Of course, given the example Paul said about Santa Claus: I *do* sign
based on pseudonyms. Of course, on well-established and
well-recognized pseudonyms. I don't know nor care about the real names
of several of the people I have cross-signed with.

> [1] A passport is the only form of identification some people were
> willing to accept from me. I myself have only accepted these save for a
> few exceptions, where I accepted a US driver's license but was otherwise
> certain of the person's identity.

When somebody asks for my govt-issued IDs, I take care to explain the
inconsistencies they usually have. Like my driving license having
"permanent" validity, or my voter ID card stating I'm 35 years old
(the previous one said I was 29 until I lost it in France; the
previous one, 20).


-- 
To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150216180015.gh77...@gwolf.org

Re: Why are in-person meetings required for the debian keyring?

[Christian Kastner]

On 2015-02-15 11:55, Russell Stuart wrote:
> On Fri, 2015-02-13 at 15:14 +, Ian Jackson wrote:
>> There are organisations with plenty of money, who would perhaps like
>> to infiltrate us, but for whom risk of exposure is the biggest cost of
>> trying.
> 
> Which organisations would that be?
> 
> It is the NSA, who was caught red-handed installing gear in AT&T
> telephone exchanges to illegally spy on US citizens?  [0]

Just because noone went to prison does not mean there weren't consequences.

In this particular example, these and similar activities led to "HTTPS
Everywhere" and other encryption-by-default trends. I would expect this
to have a *dramatic* impact on the ability to collect intelligence.

> Back to my original point, the job we ask of GPG is to ensure the keys
> we admit to the keyring are owned by entity who has proved he is
> competent at maintaining packages and is compatible with Debian's social
> fabric.

I contest that. When signing a key, GPG asks me how closely I have
verified the identity of the person, and only that.

GPG and the WoT are used for far more than just Debian development.

> I can't imagine a better way of doing that then proof of work.

I can: proof of work AND identity verification. As we have now (via
advocacy and key signing).

Honestly, I get the feeling that this debate keeps getting framed as an
either/or question, and I don't understand why, when we already have both.

Nobody is advocating that the drop the proof-of-work requirement
(signatures alone do not a DD make). What's being debated is whether to
drop the identity verification requirement. A number of arguments have
been made for and against, but personally, I have found none of the
"for" arguments convincing in the slightest.

This is starting to feel like bike-shedding to me. For example, I
believe the current shortage of AMs [1] to be a far greater obstacle to
becoming a DD than the signature requirement. So let me ask this: who
exactly would benefit from dropping this requirement?

>From a quick look, I'd say that all but a dozen DD's have 3 or more
signatures, so the 2-sig-minimum requirement apparently was not a
problem for most of them (and of the remaining dozen, about half are
keys at least a decade old).

DM's require only one DD signature, and whether new contributors require
a DD signature depends entirely on the package sponsor.

> But yes, everybody is absolutely right in saying it won't stop spy
> agencies.

That doesn't mean we have to make it easier for them.

I believe I have already contributed what I can to this thread, so I
will recuse myself.

Regards,
Christian

[1] https://lists.debian.org/debian-devel-announce/2015/02/msg1.html


-- 
To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/54e0920c.40...@kvr.at

Re: Why are in-person meetings required for the debian keyring?

[Russell Stuart]

On Fri, 2015-02-13 at 15:14 +, Ian Jackson wrote:
> There are organisations with plenty of money, who would perhaps like
> to infiltrate us, but for whom risk of exposure is the biggest cost of
> trying.

Which organisations would that be?

It is the NSA, who was caught red-handed installing gear in AT&T
telephone exchanges to illegally spy on US citizens?  [0]  (Was there
really a chance the presence of such gear wouldn't eventually become
public?)  Is it Australia's ASIO, who was caught red handed having
flooded a government building in East Timor with listening devices? [1]
Or maybe it is Mossad, whose we apparently so unconcerned by the risk of
exposure their agents didn't bother wearing disguises when assassinating
Mahmoud Al-Mabhouh [2] 

In the end, a little embarrassment aside what is the effect of being
expose trying to compromise Debian?  Because if there is nothing else
imaging a small risk of embarrassment will stop them sounds almost
impossibility naive.   And to me the risk looks to be very small indeed.
All they need is a DD who is an employee of a loosely affiliated
organisation who can be trusted keep his mouth shut.  You can be sure
they already will have some a plausible reason ready if their activity
is discovered.  Maybe something along the lines of "oh yes, we gave him
a new laptop, but it appears the company we use to dispose of the old
ones didn't reformat the disks, despite it being in the contact".

In my mind there are only two possibilities.  One is the Debian keyring
isn't worth a spy agencies effort to infiltrate.  The other is they have
already done it.  (I don't have a clue which it is - second guessing the
decisions of a spy agency seems like mission impossible.)   Either way,
neither our current key signing procedures nor any of the replacements
discussed here will have any effect outcome, as they are ridiculously
weak against the resources of a nation state.

Fortunately they aren't our only defence, they are just the moat that
stops the unwashed rabble.  Our main defence against this sort of attack
is our transparency.  Everything we do, we do in public.  And everything
we have done is checked by that wonderful band of the truly paranoid we
occasionally have to tolerate on our mailing lists.  Anything nefarious
is going to be spotted, it's just a question of when.  This places a
limit on the lifetime of any compromise.  Unlike Australia's bugged
building, it won't go unnoticed for a decade.  The limits the value of
any compromise because it has to remain unnoticed until it gets into
stable and is then be deployed by the target.

Back to my original point, the job we ask of GPG is to ensure the keys
we admit to the keyring are owned by entity who has proved he is
competent at maintaining packages and is compatible with Debian's social
fabric.  I can't imagine a better way of doing that then proof of work.
But yes, everybody is absolutely right in saying it won't stop spy
agencies.




[0]  http://en.wikipedia.org/wiki/Room_641A

[1]  It's unlikely many outside of Australia will know what I referring
 to so here is a short history lesson.  Australia paid for and built
 the said building, promoting it at the time as generous foreign aid
 to a neighbour in need.  What East Timor really needed, in fact
 desperately needed, was a source of foreign income.  That was a
 problem as East Timor is a new, tiny and very poor country, but
 nonetheless things looked hopeful because huge gas fields had been
 discovered in the East Timor sea.  Minor problem: they were in a
 dispute with Australia over a border running through the middle of
 the gas fields.  The East Timorese hired OECD professionals and
 and held lengthy planning meetings for the ensuring negotiations
 over the border (mostly held in the building Australia had
 provided), but it appears despite their efforts the amazingly
 skilled Australian diplomats out foxed them at every turn as at the
 end of the process most of the gas fields were on the Australian
 side.  When the Australia’s shenanigans inevitably leaked East
 Timor took it all the way to the World Court.  It's hard to
 overstate the embarrassment suffered by ASIO and their political
 masters had to endure at the time.  Still, they must have known the
 odds were high it would leak, and in the end Australia still has
 the gas fields.

 http://en.wikipedia.org/wiki/Australia%E2%80%93East_Timor_spying_scandal

[2]  http://en.wikipedia.org/wiki/Assassination_of_Mahmoud_Al-Mabhouh



signature.asc
Description: This is a digitally signed message part

Re: Why are in-person meetings required for the debian keyring?

[Abou Al Montacir]

Hi Ian and All,

On Fri, 2015-02-13 at 15:14 +, Ian Jackson wrote:
> Sending a warm body to turn up at a conference is much riskier.  Even
> if the person just turns up at the KSP, and engages in no small talk
> with anyone, their photo might be taken; they might be `made' by
> suspicious attendees; their (no doubt offically issued) alias
> documents might be scrutinised and recorded; and so on.
> 
> These are perhaps small risks, but a small risk of headlines like
> `spooks found covertly infiltrating Free Software project' is a big
> cost to those kind of people.

I think you can find many people that will meet for you someone with his
IC card for few hundreds of €. You just identify that person, create a
mail with his name and start sending contribution. Then give him less
that 1k€ and ask him to meet someone on some debconf and give him a
small paper. That person does not even know who you are and probably
even not know much about debian.

I don't talk about French ID card, that anyone can change easily. As DD
will not verify the integrity of the ID, I think your argument become
very light.

For me mandating that people contribute at least 3years with signed
mails/uploads is probably better than asking for a key signed by 2 DDs.

You can easily setup a DD rating tool, so that only keys above a certain
rate allow their holder to apply for DD status. This rating shall be
done by DDs only based on their technical contributions.

That way you have probably more secure process.

Cheers,
Abou Al Montacir,


-- 
To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/1423910865.20958.46.ca...@sfr.fr

Re: Why are in-person meetings required for the debian keyring?

[Russell Stuart]

On Fri, 2015-02-13 at 16:16 -0800, Steve Langasek wrote:
> On Fri, Feb 13, 2015 at 09:19:29AM +1000, Russell Stuart wrote:
> > On Thu, 2015-02-12 at 10:57 -0800, Steve Langasek wrote:
> > > I'm surprised no one else has brought up this point yet: part of the 
> > > reason
> > > for using cryptographic PKI (web of trust; SSL CAs; etc) is to eliminate
> > > man-in-the-middle attacks.
> 
> > Ah, but you see that is one of the beauties of proof of work.  It is
> > almost immune to MITM attacks.
> 
> No, your so-called "proof of work" provides no protection at all against the
> MITM attack I outlined.

I don't understand, can you explain your reasoning to me?

Just so you understand my reasoning: a man in the middle requires a key
exchange to happen.  Usually just one, when the man sits in the middle.
This is what makes scenario I proposed (the one you dismissed as a
nonsensical strawman) is possible, even easy.  The attacker just has to
do it once, at a place, time and people he chooses.  It's because he
gets to choose that the "weakest link" argument comes into play.  For
example if he had to do it during a yearly keysigning session at Debconf
with a lot of other DD's watching on, then it becomes much harder.
Indeed many on the thread have made much of the fact that it would be
well neigh impossible.  They are right - it probably is, but they are
also wrong because the attacker gets to choose the time and place - not
them.  He won't choose the hard place to do it - he will choose the
easiest.

In contrast proof of work is usually done over a long time, each signed
unit of work adding to the confidence level.  So there are many
exchanges.  Further, these happen in public, meaning Debian publishes
each unit.  Thus it is easy for to sender to verify there wasn't a man
in the middle when it was sent: he just verifies it's his  on the
published the work.  Now it is true his checking can also be MITM'ed,
but it is well neigh impossible to pull off.  The attacker has to
intercept every incoming email, ftp and web download over the six or
twelve months the proof is being built up. 

Proof of work has a nice side effect of shifting the workload involved
in defending against a MITM attack from Debian to the person trying to
enter the project.  In other words you don't need a room full of DD's to
fly into one place during the year to prevent MITM the attacks, because
under proof of work the person trying to enter Debian does the checking.
The incentive to do the checking is strong because if he doesn't check
it's possible someone else is taking credit for it - making all the
effort he put in worthless.

I'll summarise.  In the WoT and it's variants, the MITM attacher does it
once, and gets to choose the time, the place and the people he must
fool.  Because there are so many possible combinations inevitably in a
project such a Debian there will combinations that are each easy to
exploit.  In proof of work the MITM attack must be repeated often, must
be successful every time, it happens over a over period of months, the
place presumably varies a lot, and he doesn't get to choose who he will
fool - it must be the applicant, and the applicant is highly motivated
to prevent it.

If my reasoning has gone haywire somewhere I'd really appreciate someone
explaining it to me.


signature.asc
Description: This is a digitally signed message part

Re: Why are in-person meetings required for the debian keyring?

[Steve Langasek]

On Fri, Feb 13, 2015 at 09:19:29AM +1000, Russell Stuart wrote:
> On Thu, 2015-02-12 at 10:57 -0800, Steve Langasek wrote:
> > I'm surprised no one else has brought up this point yet: part of the reason
> > for using cryptographic PKI (web of trust; SSL CAs; etc) is to eliminate
> > man-in-the-middle attacks.

> Ah, but you see that is one of the beauties of proof of work.  It is
> almost immune to MITM attacks.

No, your so-called "proof of work" provides no protection at all against the
MITM attack I outlined.

> You are saying a personal meeting enhances security, so lets perform a
> thought experiment.  Lets remove the existing parts of system that are
> proof of work, and instead rely exclusively on the WoT.  To do that we
> will no longer insist people sign their application email.  Instead once
> they are accepted the Debian keyring maintainers pull the key associated
> with the email address off the key servers, and verify it is signed by two
> DD's - ie just use the WoT to authenticate the GPG key.

This is a nonsensical strawman that proves nothing about whether ID checks
improve the security of Debian's web of trust.  Understanding why it's
nonsensical is left as an exercise for the reader.

-- 
Steve Langasek   Give me a lever long enough and a Free OS
Debian Developer   to set it on, and I can move the world.
Ubuntu Developerhttp://www.debian.org/
slanga...@ubuntu.com vor...@debian.org


signature.asc
Description: Digital signature

Re: Why are in-person meetings required for the debian keyring?

[Christian Kastner]

On 2015-02-11 20:17, Nikolaus Rath wrote:
> Following that argument, I think a key should be signed and included in
> the Debian keyring if it (the key) has a history of high quality
> contributions. Meeting the keyholder in person to look at his passport
> doesn't seem to add anything of particular value here. Why would I care
> under what name he has been contributing?

I think there is another flaw in here that hasn't been addressed yet:
the above system would enable any existing DD to clandestinely gain
another key in the keyring.

Say DD "Jekyll" wants a second key. He reduces his workload under his
original persona, and diverts all his efforts into a new persona "Hyde".
For him, the net contribution effort is zero (save for occasionally
having to ask for sponsorship under "Hyde"); he's spending exactly as
much time for Debian as he was before. After a year or two, without the
personal verification step, his new key is accepted into the keyring,
and he now has two keys, one of which cannot be linked back to him.

I assume that scenarios like the above (although almost absurdly
extreme) are the reason why nowadays at least two signatures are
required in order to be accepted as DD, whereas a few years ago, it was
only one (but in that case, the one signing DD and the advocating DD had
to be different). This is pure speculation, though. Corrections and
insights would be appreciated.

Regards,
Christian



-- 
To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/54de57fb.20...@kvr.at

Re: Why are in-person meetings required for the debian keyring?

[Christian Kastner]

On 2015-02-13 13:38, Tollef Fog Heen wrote:
> There are certainly possible attacks here, but do we realistically think
> we're going to protect ourselves against a competent attacker willing to
> put 3-6-12 months of full-time effort into becoming a DD and getting
> access?

Probably not. But does that mean we shouldn't even try?

And competent attackers notwithstanding, I do believe that this is an
effective deterrent for somewhat less competent (yet still motivated)
ones. And then there is also the scenario that Ian pointed out.

Regards,
Christian


-- 
To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/54de5422.1090...@kvr.at

Re: Why are in-person meetings required for the debian keyring?

[Ian Jackson]

Russ Allbery writes ("Re: Why are in-person meetings required for the debian 
keyring?"):
> I think the point is that so could the person who showed up at DebConf.
> Once you start postulating a sufficiently motivated attacker that they
> would be willing to take the time to establish a contribution track record
> and go through the NM process, showing up at DebConf with a forged ID is
> not increasing the difficulty of the attack by very much, nor is it
> increasing the risk by all that much.

There are organisations with plenty of money, who would perhaps like
to infiltrate us, but for whom risk of exposure is the biggest cost of
trying.

Establishing a track record of contributions from an email alias and
some computers is very easy for them.  Indeeed already they do it
quite a lot, both overtly and covertly - cf what looks to some like
derailment (ie sabotage) of certain IETF WGs.

Sending a warm body to turn up at a conference is much riskier.  Even
if the person just turns up at the KSP, and engages in no small talk
with anyone, their photo might be taken; they might be `made' by
suspicious attendees; their (no doubt offically issued) alias
documents might be scrutinised and recorded; and so on.

These are perhaps small risks, but a small risk of headlines like
`spooks found covertly infiltrating Free Software project' is a big
cost to those kind of people.

Ian.


-- 
To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/21726.5343.709720.588...@chiark.greenend.org.uk

Re: Why are in-person meetings required for the debian keyring?

[MJ Ray]

Sam Hartman wrote:
> However, I also thing it's desirable that we have some probability of
> being able to engage a legal process if we needed to.  [...]
> That's something we should not stand for, and being able to respond to
> that sort of thing in the legal system does have to do with a binding to
> a particular legal identity. [...]

The legal system in England is often willing to address people by any
name that they are commonly known by, besides the name on
government-issued identity papers.  Meanwhile, some parts of government
also accepts common names, but others will only accept registered names
and that's a bit of a mess.

Unless someone is recording the full information on the
government-issued identity papers (at least date and place of birth, but
maybe passport number, none of which is on most GPG keys), then it is
not an unambiguous binding and this reason doesn't seem very strong.

I've more sympathy with the example Phil Hands gave of stopping expelled
people sneaking back in under assumed names, but while it's difficult to
get government-issued ID in two names, it's not impossible, so maybe we
need a rogues gallery or similar for that?

Regards,
-- 
MJR/slef
My Opinion Only: see http://people.debian.org/~mjr/
Please follow http://www.uk.debian.org/MailingLists/#codeofconduct


-- 
To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/54de0b9d.4010...@debian.org

Re: Why are in-person meetings required for the debian keyring?

[Tollef Fog Heen]

]] Russ Allbery 

> Christian Kastner  writes:
> 
> > And I maintain that those people cannot be trusted with unrestricted
> > upload rights to the archive. That person-noone-has-ever-met but
> > occasionally-prepares-and-uploads-packages could just be a well
> > motivated person (or a group of people -- who knows?) hoping to
> > eventually compromise a popluar OS such as Debian, with zero risk of
> > personal consequences, or criminal prosecution.
> 
> I think the point is that so could the person who showed up at DebConf.
> Once you start postulating a sufficiently motivated attacker that they
> would be willing to take the time to establish a contribution track record
> and go through the NM process, showing up at DebConf with a forged ID is
> not increasing the difficulty of the attack by very much, nor is it
> increasing the risk by all that much.

And, some of us don't check ID for all keysignings.  If you are acting
as if you're $person for years and appear to be that person when I
interact with you (and talk about stuff we've worked on or whatever),
I'm quite likely to sign your key based on that: I would have verified
your identify against who you claim to be in Debian.

There are certainly possible attacks here, but do we realistically think
we're going to protect ourselves against a competent attacker willing to
put 3-6-12 months of full-time effort into becoming a DD and getting
access? I don't think we do, and if we did, we'd have no volunteers able
to get past the threshold.

-- 
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are


-- 
To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/87mw4i6l64@xoog.err.no

Re: Why are in-person meetings required for the debian keyring?

[Russell Stuart]

On Thu, 2015-02-12 at 10:57 -0800, Steve Langasek wrote:
> I'm surprised no one else has brought up this point yet: part of the reason
> for using cryptographic PKI (web of trust; SSL CAs; etc) is to eliminate
> man-in-the-middle attacks.

Ah, but you see that is one of the beauties of proof of work.  It is
almost immune to MITM attacks.  That is why bitcoin can trust the
miners, even though has no PKI it can use to recognise them.  The people
who exchange bitcoin then use trust relationship bitcoin has built up
with the miners (represented as the block chain) as a form of PKI they
then use to authenticate each other.

All that aside, the underlying corollary of the points I made earlier is
personal meetings are a poor way of preventing MITM attacks.  We already
have a small proof of work system: the key that gets admitted to the
keyring must be the one that went through the DAM.  (It's not a lot, but
in reality it's probably the _only_ thing that actually does anything
for Debian's security.)  You are saying a personal meeting enhances
security, so lets perform a thought experiment.  Lets remove the
existing parts of system that are proof of work, and instead rely
exclusively on the WoT.  To do that we will no longer insist people sign
their application email.  Instead once they are accepted the Debian
keyring maintainers pull the key associated with the email address off
the key servers, and verify it is signed by two DD's - ie just use the
WoT to authenticate the GPG key.

Now lets say I know prospective DD who hasn't got around to creating a
GPG key for his debian email address (which isn't uncommon).  Since this
is a MITM attack, I MITM his email address.  Not easy, but since we are
defending against a MITM attack I am allowed to assume it occurred.  I
go to a foreign country that doesn't share my language so there is a
language barrier, present my forged documents and bingo, I have control
control over what packages are uploaded to the archive.

The truly ironic part of this is it is the first MITM attack I've come
across that required a real, actual human, in the middle.


signature.asc
Description: This is a digitally signed message part

Re: Why are in-person meetings required for the debian keyring?

[Christian Kastner]

On 2015-02-12 22:49, Nikolaus Rath wrote:
> Christian Kastner  writes:
>> I of course agree with the first part, but I have to disagree with the
>> last sentence: I think it does increase the risk for the attacker.
>> Because even if the ID is fake, I still have seen a person, and a face,
>> I could describe. I could point out that person to others at next
>> DebConf.
> 
> I very much doubt that. During a typical keysigning party (at least
> those that I've seen or attended), you look at tens of faces within just
> a few minutes. Do you really think that you'd be able to recall and
> describe a particular face several months (or years) later, given only a
> name?

Good point. No, for some of the participants, I would not be able to do
that. But for most, I still can. After all, the keysigning party is not
the only place you interact with these same people. And perhaps of the
tens of participants, there are some who have a better memory for faces
than I do.

Nevertheless, showing up would still be a risk, and as much as one might
be able to game and reduce this risk, it would still be higher compared
to the risk faced without any personal interaction at all, which is zero.


-- 
To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/54dd2e1e.4010...@kvr.at

Re: Why are in-person meetings required for the debian keyring?

[Nikolaus Rath]

Christian Kastner  writes:
> On 2015-02-12 21:11, Russ Allbery wrote:
>> Christian Kastner  writes:
>> 
>>> And I maintain that those people cannot be trusted with unrestricted
>>> upload rights to the archive. That person-noone-has-ever-met but
>>> occasionally-prepares-and-uploads-packages could just be a well
>>> motivated person (or a group of people -- who knows?) hoping to
>>> eventually compromise a popluar OS such as Debian, with zero risk of
>>> personal consequences, or criminal prosecution.
>> 
>> I think the point is that so could the person who showed up at DebConf.
>> Once you start postulating a sufficiently motivated attacker that they
>> would be willing to take the time to establish a contribution track record
>> and go through the NM process, showing up at DebConf with a forged ID is
>> not increasing the difficulty of the attack by very much, nor is it
>> increasing the risk by all that much.
>
> I of course agree with the first part, but I have to disagree with the
> last sentence: I think it does increase the risk for the attacker.
> Because even if the ID is fake, I still have seen a person, and a face,
> I could describe. I could point out that person to others at next
> DebConf.

I very much doubt that. During a typical keysigning party (at least
those that I've seen or attended), you look at tens of faces within just
a few minutes. Do you really think that you'd be able to recall and
describe a particular face several months (or years) later, given only a
name?

Best,
-Nikolaus
-- 
GPG encrypted emails preferred. Key id: 0xD113FCAC3C4E599F
Fingerprint: ED31 791B 2C5C 1613 AF38 8B8A D113 FCAC 3C4E 599F

 »Time flies like an arrow, fruit flies like a Banana.«


-- 
To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/878ug27qcs@thinkpad.rath.org

Re: Why are in-person meetings required for the debian keyring?

[Christian Kastner]

On 2015-02-12 22:30, Christian Kastner wrote:
> Then again, in the latter case, I find it hard to believe that someone
> so dedicated to Debian would not at some point run into a fellow Debian
> Developer would  cound verify the credentials

 would be able to

Sorry about that.



-- 
To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/54dd1be7.9090...@kvr.at

Re: Why are in-person meetings required for the debian keyring?

[Christian Kastner]

On 2015-02-12 21:29, Nikolaus Rath wrote:
> In my opinion, exactly the same applies for someone you've met. I think
> it's a lot easier to get a forged id than to establish a history of
> valuable contributions.

Well, it depends. A forged passport[1], if one even knows where to get
it, will cost you thousands of dollars or euros, and would furthermore
constitute a serious criminal offense. I wouldn't call that easy.

But I definitely agree that establishing *valuable* contributions --that
is, not just mere packaging, but improving some part of Debian
significantly -- is also not easy.

Then again, in the latter case, I find it hard to believe that someone
so dedicated to Debian would not at some point run into a fellow Debian
Developer would  cound verify the credentials, perhaps at DebConf or any
other FOSS conference.

Regards,
Christian

[1] A passport is the only form of identification some people were
willing to accept from me. I myself have only accepted these save for a
few exceptions, where I accepted a US driver's license but was otherwise
certain of the person's identity.


-- 
To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/54dd1b68.5080...@kvr.at

Re: Why are in-person meetings required for the debian keyring?

[Nikolaus Rath]

Nikolaus Rath  writes:
> I think that's a pretty weak argument. Even if you assume that a
> theoretical perpetrator originally joined Debian with good intentions
> (i.e., without using a faked id in the first place), and that you are
> actually able to sue in the relevant country, you'd still have a very
> hard time proving any malicious intention (the developer may just not
> have noticed the compromising code).

This seems like a good opportunity to point to
http://underhanded.xcott.com/ for some really great examples of how to
introduce a backdoor with plausible deniability.

Best,
-Nikolaus

-- 
GPG encrypted emails preferred. Key id: 0xD113FCAC3C4E599F
Fingerprint: ED31 791B 2C5C 1613 AF38 8B8A D113 FCAC 3C4E 599F

 »Time flies like an arrow, fruit flies like a Banana.«


-- 
To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/87fvaa7txg@thinkpad.rath.org

Re: Why are in-person meetings required for the debian keyring?

[Nikolaus Rath]

Christian Kastner  writes:
> On 2015-02-12 18:20, Nikolaus Rath wrote:
>> Christian Kastner  writes:
> On 2015-02-11 20:17, Nikolaus Rath wrote:
> In other words: just because I'm sure about someone's
> legal name, I wouldn't trust him to run code on my computer. But if
> someone has been contributing to Debian for 5 years with a specific GPG
> key, I'd probably trust him to prepare a package no matter if the name
> associated with the GPG key actually corresponds to some legal identity
> or not.
>>>
 I highly disagree. "Contributing to Debian for 5 years" alone is well
>>> within the means and patience of various organizations with potentially
>>> malicious intentions.
>> 
>> Does that mean you're individually verifying the credentials of whatever
>> developer signed an upload before running dpkg -i?
>
> I don't have any packages installed via dpkg -i. I don't have a use
> case for that (is this common?) I install all my packages via apt-get
> or aptitude,

That's what I meant. I was assuming you'd have to use dpkg because you
don't automatically trust any Debian package (but now I release you do,
just for different reasons).

> and I only use official mirrors, where the Release files are
> signed by an archive key, which is signed by DDs, who's identity I can
> rely on through the web of trust.

Ah, so you're saying you trust the Debian developers because their
identity has been verified. I didn't realize you highly disagreed with
my first sentence as well. It seems we have very different bases on
which to assign trust, but nothing wrong with that.

> And I maintain that those people cannot be trusted with unrestricted
> upload rights to the archive. That person-noone-has-ever-met but
> occasionally-prepares-and-uploads-packages could just be a well
> motivated person (or a group of people -- who knows?) hoping to
> eventually compromise a popluar OS such as Debian, with zero risk of
> personal consequences, or criminal prosecution.

In my opinion, exactly the same applies for someone you've met. I think
it's a lot easier to get a forged id than to establish a history of
valuable contributions.


Best,
-Nikolaus

-- 
GPG encrypted emails preferred. Key id: 0xD113FCAC3C4E599F
Fingerprint: ED31 791B 2C5C 1613 AF38 8B8A D113 FCAC 3C4E 599F

 »Time flies like an arrow, fruit flies like a Banana.«


-- 
To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/87iof67u0t@thinkpad.rath.org

Re: Why are in-person meetings required for the debian keyring?

[Christian Kastner]

On 2015-02-12 21:11, Russ Allbery wrote:
> Christian Kastner  writes:
> 
>> And I maintain that those people cannot be trusted with unrestricted
>> upload rights to the archive. That person-noone-has-ever-met but
>> occasionally-prepares-and-uploads-packages could just be a well
>> motivated person (or a group of people -- who knows?) hoping to
>> eventually compromise a popluar OS such as Debian, with zero risk of
>> personal consequences, or criminal prosecution.
> 
> I think the point is that so could the person who showed up at DebConf.
> Once you start postulating a sufficiently motivated attacker that they
> would be willing to take the time to establish a contribution track record
> and go through the NM process, showing up at DebConf with a forged ID is
> not increasing the difficulty of the attack by very much, nor is it
> increasing the risk by all that much.

I of course agree with the first part, but I have to disagree with the
last sentence: I think it does increase the risk for the attacker.
Because even if the ID is fake, I still have seen a person, and a face,
I could describe. I could point out that person to others at next
DebConf. I could describe the person to the authorities (faking IDs is a
criminal offense, and in the case of a compromise, many countries also
have cybersecurity laws). That puts the attacker at least at some risk.

I'm aware that attackers may exist who might not be deterred even by the
above, but to me, those are at the other end of the spectrum. I do
believe the current personal verification policy presents an effective
deterrent to more common types of attackers.

Regards,
Christian


-- 
To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/54dd137d.6060...@kvr.at

Re: Why are in-person meetings required for the debian keyring?

[Russ Allbery]

Christian Kastner  writes:

> And I maintain that those people cannot be trusted with unrestricted
> upload rights to the archive. That person-noone-has-ever-met but
> occasionally-prepares-and-uploads-packages could just be a well
> motivated person (or a group of people -- who knows?) hoping to
> eventually compromise a popluar OS such as Debian, with zero risk of
> personal consequences, or criminal prosecution.

I think the point is that so could the person who showed up at DebConf.
Once you start postulating a sufficiently motivated attacker that they
would be willing to take the time to establish a contribution track record
and go through the NM process, showing up at DebConf with a forged ID is
not increasing the difficulty of the attack by very much, nor is it
increasing the risk by all that much.

-- 
Russ Allbery (r...@debian.org)   


-- 
To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/87mw4iao0v@hope.eyrie.org

Re: Why are in-person meetings required for the debian keyring?

[Nikolaus Rath]

Steve Langasek  writes:
> On Wed, Feb 11, 2015 at 11:17:44AM -0800, Nikolaus Rath wrote:
>> I'm a little confused about the need to meet in-person to get a
>> signature that's acceptable for the Debian keyring.
>
>> I believe that Debian packages are signed on upload to ensure that they
>> have been prepared by a Debian Developer, because Debian Developers are
>> assumed to be trustworthy.
>
>> However, it seems to me that meeting someone in person isn't actually
>> verifying the relevant identity here. My trust in a Debian developer is
>> not based on him holding a particular legal name, it is in his history
>> of contributions. In other words: just because I'm sure about someone's
>> legal name, I wouldn't trust him to run code on my computer. But if
>> someone has been contributing to Debian for 5 years with a specific GPG
>> key, I'd probably trust him to prepare a package no matter if the name
>> associated with the GPG key actually corresponds to some legal identity
>> or not.
>
>> Following that argument, I think a key should be signed and included in
>> the Debian keyring if it (the key) has a history of high quality
>> contributions. Meeting the keyholder in person to look at his passport
>> doesn't seem to add anything of particular value here. Why would I care
>> under what name he has been contributing?
>
>> Am I missing something?
>
> I'm surprised no one else has brought up this point yet: part of the reason
> for using cryptographic PKI (web of trust; SSL CAs; etc) is to eliminate
> man-in-the-middle attacks.
>
> If you haven't met and exchanged keys in person, then how do you know that
> there isn't a man in the middle?
>
> I think recent revelations regarding the systematic compromising of the
> Internet by governments show that this isn't a tinfoil question.  It is
> conceivable that an attacker would be able to intercept all PGP-signed
> communications from a target, replacing all signatures with signatures by
> their own key and thereby creating an unwitting sleeper agent.

In that treat model, don't you have to assume that the attacker also has
means to get a forged id and could also intercept (and modify) the
arrangement of the in-person-meeting (so that the key signers never meet
each other, but each meet with an attacker)?

Also, wouldn't the person being impersonated notice when his mailing
list messages aren't signed by his key?


You are right, requiring in-person-meetings does make it harder for an
attacker. But it seems to me that if an attacker is able to overcome the
defenses that exist without an in-person meeting, he isn't going to have
trouble dealing with an in-person meeting either. In other words, adding
the in-person meeting increases security, but doesn't actually exclude
any class of attackers that isn't already excluded.

Best,
-Nikolaus

-- 
GPG encrypted emails preferred. Key id: 0xD113FCAC3C4E599F
Fingerprint: ED31 791B 2C5C 1613 AF38 8B8A D113 FCAC 3C4E 599F

 »Time flies like an arrow, fruit flies like a Banana.«


-- 
To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/87zj8jork3@thinkpad.rath.org

Re: Why are in-person meetings required for the debian keyring?

[Christian Kastner]

On 2015-02-12 18:20, Nikolaus Rath wrote:
> Christian Kastner  writes:
>> I highly disagree. "Contributing to Debian for 5 years" alone is well
>> within the means and patience of various organizations with potentially
>> malicious intentions.
> 
> Does that mean you're individually verifying the credentials of whatever
> developer signed an upload before running dpkg -i?

I don't have any packages installed via dpkg -i. I don't have a use case
for that (is this common?) I install all my packages via apt-get or
aptitude, and I only use official mirrors, where the Release files are
signed by an archive key, which is signed by DDs, who's identity I can
rely on through the web of trust.

I install all the stuff I don't trust on a Windows box (with the other
software I very rarely use, but occasionally need).

> I believe at the moment Debian doesn't even enforce any number or
> period of contributions, so I'm curious what it means for you in
> practice to generally not trust Debian developers.

Nonsense. I generally trust anyone who's key is in the keyring. Most
people in there have a multitude of signatures, so that increases my
confidence in their identity even more.

However, those are not the people you are talking about. The argument
you are raising is that people could be trustworthy even if they have
had *zero* personal identity verification.

And I maintain that those people cannot be trusted with unrestricted
upload rights to the archive. That person-noone-has-ever-met but
occasionally-prepares-and-uploads-packages could just be a well
motivated person (or a group of people -- who knows?) hoping to
eventually compromise a popluar OS such as Debian, with zero risk of
personal consequences, or criminal prosecution.

I know, from personal experience, that getting a key signed can be hard.
But I think it's not just an acceptable, but perfectly reasonable hurdle
to clear for the power that you are granted (via upload rights).

Regards,
Christian


-- 
To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/54dd054b.9020...@kvr.at

Re: Why are in-person meetings required for the debian keyring?

[Steve Langasek]

On Wed, Feb 11, 2015 at 11:17:44AM -0800, Nikolaus Rath wrote:
> I'm a little confused about the need to meet in-person to get a
> signature that's acceptable for the Debian keyring.

> I believe that Debian packages are signed on upload to ensure that they
> have been prepared by a Debian Developer, because Debian Developers are
> assumed to be trustworthy.

> However, it seems to me that meeting someone in person isn't actually
> verifying the relevant identity here. My trust in a Debian developer is
> not based on him holding a particular legal name, it is in his history
> of contributions. In other words: just because I'm sure about someone's
> legal name, I wouldn't trust him to run code on my computer. But if
> someone has been contributing to Debian for 5 years with a specific GPG
> key, I'd probably trust him to prepare a package no matter if the name
> associated with the GPG key actually corresponds to some legal identity
> or not.

> Following that argument, I think a key should be signed and included in
> the Debian keyring if it (the key) has a history of high quality
> contributions. Meeting the keyholder in person to look at his passport
> doesn't seem to add anything of particular value here. Why would I care
> under what name he has been contributing?

> Am I missing something?

I'm surprised no one else has brought up this point yet: part of the reason
for using cryptographic PKI (web of trust; SSL CAs; etc) is to eliminate
man-in-the-middle attacks.

If you haven't met and exchanged keys in person, then how do you know that
there isn't a man in the middle?

I think recent revelations regarding the systematic compromising of the
Internet by governments show that this isn't a tinfoil question.  It is
conceivable that an attacker would be able to intercept all PGP-signed
communications from a target, replacing all signatures with signatures by
their own key and thereby creating an unwitting sleeper agent.

Given that you want direct exchange of fingerprints via an in-person meeting
anyway, the additional verification of a state-recognized identity is only
incrementally more inconvenient, and it does provide protection against
additional forms of attack on the project.  You may only care that the key
belongs to the person who has been doing the work; others of us also care
that we have some measure of protection against one of these people going
rogue and causing millions of dollars of damage to our users.

Debian is a high-stakes target.  Checking state-issued IDs isn't a perfect
guard against infiltration, but it seems to be the best we've come up with
so far.  People who complain about the value of ID checks never seem to
offer anything *better*, they only propose eliminating them and weakening
our standards.

-- 
Steve Langasek   Give me a lever long enough and a Free OS
Debian Developer   to set it on, and I can move the world.
Ubuntu Developerhttp://www.debian.org/
slanga...@ubuntu.com vor...@debian.org


signature.asc
Description: Digital signature

Re: Why are in-person meetings required for the debian keyring?

[Rhonda D'Vine]

* Philip Hands  [2015-02-12 08:15:55 CET]:
> Russell Stuart  writes:
> > On Wed, 2015-02-11 at 11:17 -0800, Nikolaus Rath wrote:
> > If it is indeed trying to do that, it fails miserably.   A DD signing a
> > key doesn't imply he is saying he is worthy of (re)inclusion into
> > Debian, so nobody uses it as a criterion.  If some random noob comes up
> > to DD with a valid credentials and asks them to sign their key, its
> > highly likely they will.  At major conferences this happens en-mass at
> > key signing parties(!)
> 
> You've managed to spectacularly miss my point.
> 
> If one insists on face-to-face meetings, there is a moderate chance that
> someone is going to notice that the same person is attempting to create
> a new persona in order to gain a reentry that we'd refuse if they
> presented themselves as the persona which was ejected.

 How would that happen?  If I were ill intended, I definitely wouldn't
meet up with the people that I had face-to-face meetings before, and
there is enough material of DDs to choose from to get my key signed?
How should someone notice me as the same person in that case?  I think
that reason is a bit flawed on that account.

 Said that, I've signed keys that I haven't seen a valid ID for, and I
know a fair amount of people that have signed my new key for which I
don't have a valid ID to present for.  That still happened in a
face-to-face meetings though.  The fingerprint is what was exchanged
face-to-face, and that to some degree guarantees that they do it on
their own will and not have someone pressure them to get the key signed.
To some degree of course, but people do behave different when they are
forced to do something they wouldn't do otherwise.

 There's nothing foolproof obviously, and also there's no hard ruling on
that, people have to apply their own judging in what they put their
trust in, and we (as in Debian) assume that we do that in the best of
our own interest and reasonings.

 So long,
Rhonda
-- 
Fühlst du dich mutlos, fass endlich Mut, los  |
Fühlst du dich hilflos, geh raus und hilf, los| Wir sind Helden
Fühlst du dich machtlos, geh raus und mach, los   | 23.55: Alles auf Anfang
Fühlst du dich haltlos, such Halt und lass los|


-- 
To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150212182228.ga11...@anguilla.debian.or.at

Re: Why are in-person meetings required for the debian keyring?

[Nikolaus Rath]

Christian Kastner  writes:
> On 2015-02-11 20:17, Nikolaus Rath wrote:
>> In other words: just because I'm sure about someone's
>> legal name, I wouldn't trust him to run code on my computer. But if
>> someone has been contributing to Debian for 5 years with a specific GPG
>> key, I'd probably trust him to prepare a package no matter if the name
>> associated with the GPG key actually corresponds to some legal identity
>> or not.
>
> I highly disagree. "Contributing to Debian for 5 years" alone is well
> within the means and patience of various organizations with potentially
> malicious intentions.

Does that mean you're individually verifying the credentials of whatever
developer signed an upload before running dpkg -i? I believe at the
moment Debian doesn't even enforce any number or period of
contributions, so I'm curious what it means for you in practice to
generally not trust Debian developers.


Best,
-Nikolaus
-- 
GPG encrypted emails preferred. Key id: 0xD113FCAC3C4E599F
Fingerprint: ED31 791B 2C5C 1613 AF38 8B8A D113 FCAC 3C4E 599F

 »Time flies like an arrow, fruit flies like a Banana.«


-- 
To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/87bnkzqc73@thinkpad.rath.org

Re: Why are in-person meetings required for the debian keyring?

[Nikolaus Rath]

Sam Hartman  writes:
>> "Nikolaus" == Nikolaus Rath  writes:
> Nikolaus> However, it seems to me that meeting someone in person
> Nikolaus> isn't actually verifying the relevant identity here. My
> Nikolaus> trust in a Debian developer is not based on him holding a
> Nikolaus> particular legal name, it is in his history of
> Nikolaus> contributions. In other words: just because I'm sure about
> Nikolaus> someone's legal name, I wouldn't trust him to run code on
> Nikolaus> my computer. But if someone has been contributing to
> Nikolaus> Debian for 5 years with a specific GPG key, I'd probably
> Nikolaus> trust him to prepare a package no matter if the name
> Nikolaus> associated with the GPG key actually corresponds to some
> Nikolaus> legal identity or not.
>
> There are lots of types of trust involved.
> I definitely think past contributions is part of it.
> However, I also thing it's desirable that we have some probability of
> being able to engage a legal process if we needed to.  Imagine someone
> intentionally uploaded some  compromised software to Debian with the
> purpose of harming our users/turning debian machines into bots/etc.

I think that's a pretty weak argument. Even if you assume that a
theoretical perpetrator originally joined Debian with good intentions
(i.e., without using a faked id in the first place), and that you are
actually able to sue in the relevant country, you'd still have a very
hard time proving any malicious intention (the developer may just not
have noticed the compromising code). And that's probably a good thing, I
certainly don't want to be legally responsible if some software I
packaged happens to have a security bug that allows to compromise
someone's system.


Best,
-Nikolaus

-- 
GPG encrypted emails preferred. Key id: 0xD113FCAC3C4E599F
Fingerprint: ED31 791B 2C5C 1613 AF38 8B8A D113 FCAC 3C4E 599F

 »Time flies like an arrow, fruit flies like a Banana.«


-- 
To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/87k2znqcgy@thinkpad.rath.org

Re: Why are in-person meetings required for the debian keyring?

[Nikolaus Rath]

Russell Stuart  writes:
> On Thu, 2015-02-12 at 07:15 +, Philip Hands wrote:
>> You've managed to spectacularly miss my point.
>> 
>> If one insists on face-to-face meetings, there is a moderate chance that
>> someone is going to notice that the same person is attempting to create
>> a new persona in order to gain a reentry that we'd refuse if they
>> presented themselves as the persona which was ejected.
>> 
>> It's certainly not foolproof, but it's considerably better than simply
>> allowing people to run multiple personae in parallel from their
>> underground bunker.
>
> No, I think I understood your point.  I just wasn't persuaded by it.  If
> someone is expelled by Debian then tries to "sneak back in" by
> contributing for a year or two it takes to become a DD without any any
> repetition of of whatever behaviour got them kicked out in the first
> place, my guess is the project would be better off by letting them get
> away with it.
>
> Putting another way - people can learn, and change.  If we bet on it and
> are wrong, then we yes will have to kick them out again in a few years.
> But if the bet wins we get a contributor for decade or two.  The trade
> off seems worth it to me.

Especially because even if the bet lost, Debian would still have gotten
a year or two of decent contributions out of it.


Best,
-Nikolaus

-- 
GPG encrypted emails preferred. Key id: 0xD113FCAC3C4E599F
Fingerprint: ED31 791B 2C5C 1613 AF38 8B8A D113 FCAC 3C4E 599F

 »Time flies like an arrow, fruit flies like a Banana.«


-- 
To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/87egpvqcce@thinkpad.rath.org

Re: Why are in-person meetings required for the debian keyring?

[Russell Stuart]

On Thu, 2015-02-12 at 07:15 +, Philip Hands wrote:
> You've managed to spectacularly miss my point.
> 
> If one insists on face-to-face meetings, there is a moderate chance that
> someone is going to notice that the same person is attempting to create
> a new persona in order to gain a reentry that we'd refuse if they
> presented themselves as the persona which was ejected.
> 
> It's certainly not foolproof, but it's considerably better than simply
> allowing people to run multiple personae in parallel from their
> underground bunker.

No, I think I understood your point.  I just wasn't persuaded by it.  If
someone is expelled by Debian then tries to "sneak back in" by
contributing for a year or two it takes to become a DD without any any
repetition of of whatever behaviour got them kicked out in the first
place, my guess is the project would be better off by letting them get
away with it.

Putting another way - people can learn, and change.  If we bet on it and
are wrong, then we yes will have to kick them out again in a few years.
But if the bet wins we get a contributor for decade or two.  The trade
off seems worth it to me.


signature.asc
Description: This is a digitally signed message part

Re: Why are in-person meetings required for the debian keyring?

[Philip Hands]

Russell Stuart  writes:

> On Wed, 2015-02-11 at 11:17 -0800, Nikolaus Rath wrote:
>> I'm a little confused about the need to meet in-person to get a
>> signature that's acceptable for the Debian keyring.
>> 
>> I believe that Debian packages are signed on upload to ensure that they
>> have been prepared by a Debian Developer, because Debian Developers are
>> assumed to be trustworthy.
>> 
>> However, it seems to me that meeting someone in person isn't actually
>> verifying the relevant identity here. My trust in a Debian developer is
>> not based on him holding a particular legal name, it is in his history
>> of contributions.
>
> I agree.  The problem is in the details.  How do you prove all those
> contributions came from that key?  Really the only way to prove it is to
> have that long history signed by the key that wants to become a DD.  The
> issue is very few people sign all their interactions with Debian -
> certainly not in the beginning.  Worse, there are people (and some
> current DD's) who strongly objected on this list to doing it.
>
> But yes, if it were available I agree it's far more secure than the
> procedures we have now, and I'd like to see Debian's procedure changed
> to treat such history with at least equal weight to getting your key
> signed by a DD.  The reason is that history is a "proof of work".  It's
> a well known and remarkably strong way of authenticating something.
> Currently the best known deployment of it in is Bitcoin which uses it as
> the foundation for block chain security.
>
> The weakness of the current method is shown by one of the responses
> given here:
>
> On Wed, 2015-02-11 at 20:36 +, Philip Hands wrote:
>> The thing it's trying to add is some assurance that, if it were
>> necessary to eject someone from the project for whatever reason, that
>> it is at least moderately hard for them to sneak back in under a
>> different name.
>
> If it is indeed trying to do that, it fails miserably.   A DD signing a
> key doesn't imply he is saying he is worthy of (re)inclusion into
> Debian, so nobody uses it as a criterion.  If some random noob comes up
> to DD with a valid credentials and asks them to sign their key, its
> highly likely they will.  At major conferences this happens en-mass at
> key signing parties(!)

You've managed to spectacularly miss my point.

If one insists on face-to-face meetings, there is a moderate chance that
someone is going to notice that the same person is attempting to create
a new persona in order to gain a reentry that we'd refuse if they
presented themselves as the persona which was ejected.

It's certainly not foolproof, but it's considerably better than simply
allowing people to run multiple personae in parallel from their
underground bunker.

Cheers, Phil.
-- 
|)|  Philip Hands  [+44 (0)20 8530 9560]  HANDS.COM Ltd.
|-|  http://www.hands.com/http://ftp.uk.debian.org/
|(|  Hugo-Klemm-Strasse 34,   21075 Hamburg,GERMANY


signature.asc
Description: PGP signature

Re: Why are in-person meetings required for the debian keyring?

[Christian Kastner]

On 2015-02-11 21:45, Paul Tagliamonte wrote:
> I agree with Philip (as usual), but it's also the standard that we hold
> ourselves to when signing someones OpenPGP key -- I can't assert
> someone's identity matches without meeting them.

I think this is spot on. This identity match ties a unique key to a
certain individual, a person that you have met in the flesh. And adding
to the identity verification, there's also a form of accountability in
there, because if that person were to do something malicious within the
project, consequences could be imposed.

Having said that, "identity verification" does not necessarily mean
checking a government ID to me. You can claim to be Santa Claus for all
I care, but if I see you hold a talk in front of 100 people at DebConf
as "Santa Claus", with people I know and trust referring to you as
"Santa Claus", and other members which I know and trust confirming that
you have been visiting DebConf and other FOSS events as "Santa Claus"
for over a decade, I'll happily sign your key with a "Santa Claus" uid,
as I will believe that is your identity.

On 2015-02-11 20:17, Nikolaus Rath wrote:
> In other words: just because I'm sure about someone's
> legal name, I wouldn't trust him to run code on my computer. But if
> someone has been contributing to Debian for 5 years with a specific GPG
> key, I'd probably trust him to prepare a package no matter if the name
> associated with the GPG key actually corresponds to some legal identity
> or not.

I highly disagree. "Contributing to Debian for 5 years" alone is well
within the means and patience of various organizations with potentially
malicious intentions.


-- 
To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/54dc0afb.8090...@kvr.at

Re: Why are in-person meetings required for the debian keyring?

[Russell Stuart]

On Wed, 2015-02-11 at 11:17 -0800, Nikolaus Rath wrote:
> I'm a little confused about the need to meet in-person to get a
> signature that's acceptable for the Debian keyring.
> 
> I believe that Debian packages are signed on upload to ensure that they
> have been prepared by a Debian Developer, because Debian Developers are
> assumed to be trustworthy.
> 
> However, it seems to me that meeting someone in person isn't actually
> verifying the relevant identity here. My trust in a Debian developer is
> not based on him holding a particular legal name, it is in his history
> of contributions.

I agree.  The problem is in the details.  How do you prove all those
contributions came from that key?  Really the only way to prove it is to
have that long history signed by the key that wants to become a DD.  The
issue is very few people sign all their interactions with Debian -
certainly not in the beginning.  Worse, there are people (and some
current DD's) who strongly objected on this list to doing it.

But yes, if it were available I agree it's far more secure than the
procedures we have now, and I'd like to see Debian's procedure changed
to treat such history with at least equal weight to getting your key
signed by a DD.  The reason is that history is a "proof of work".  It's
a well known and remarkably strong way of authenticating something.
Currently the best known deployment of it in is Bitcoin which uses it as
the foundation for block chain security.

The weakness of the current method is shown by one of the responses
given here:

On Wed, 2015-02-11 at 20:36 +, Philip Hands wrote:
> The thing it's trying to add is some assurance that, if it were
> necessary to eject someone from the project for whatever reason, that
> it is at least moderately hard for them to sneak back in under a
> different name.

If it is indeed trying to do that, it fails miserably.   A DD signing a
key doesn't imply he is saying he is worthy of (re)inclusion into
Debian, so nobody uses it as a criterion.  If some random noob comes up
to DD with a valid credentials and asks them to sign their key, its
highly likely they will.  At major conferences this happens en-mass at
key signing parties(!)

It fails in another aspect as well.  If a person has been ejected from
Debian, a "proof of work" system demands he does a lot of work before he
can get back in.  (In effect the real penalty that arose from being
rejected is abandoning all the work that got him into the project in the
first place.)  As it happens, I can't imagine a better demonstration of
the good faith Debian would need to re-admit him than building up
another year or two of history of healthy contributions and good
behaviour.  Other methods fail in comparison.

The WoT is in reality depressingly weak, weak to the point that Debian
could replace it with an automated key signing service and get a net in
security.  The key signing service would accept signed requests to sign
the GPG key that signed the request, and email the encrypted signature
back to the email address the signature belonged to.  (I've omitted a
lot of details of thing you would need to make it really secure.)

This is stronger than what we have now because of two major issues.  A
signature from someone you don't know only tells you two things: they
checked the ID, and if they followed the rules the person who controls
the private key is the true owner of the email address.  But if I wanted
to get a "fake" ID signed it's simple enough - go to a foreign country.
They won't be familiar with your countries ID so you can provide them
with anything that looks suitably official.  Trust in the bond between
the email address and signature is destroyed when a person signing keys
does the "nice" thing and uploads the signature to the key servers,
something newbies do depressingly often.

This is not to say a WoT signature can't be strong.  It's hard to
imagine a better procedure than two people who know each other
physically meeting, exchanging fingerprints, signing keys there and then
and verifying their signature email arrives in the recipients inbox
before they separate.  I think people defend the WoT imagining everyone
follows the that procedure to the letter, just like they do.  Reality is
different, so a you are reduced to trusting only signatures from people
who, bless them, you are know to a complete pain in the arse because
they are absolute sticklers for the rules.  The other signatures are
just noise.  Gpg does provide mechanisms to deal with it (the concept of
trust and its transitivity), but as anybody who has looked at the
keyring knows they is so much noise even the people who are aware of the
mechanism don't bother.

Unfortunately cryptography is a strong as the weakest link, and in the
WoT the weakest link is weaker than not having the key signed at all
because a signature that doesn't exist doesn't introduce noise.  Debian
tries to get around this by insisting your key is signed by somebody it
does "kn

Re: Why are in-person meetings required for the debian keyring?

[Sam Hartman]

> "Nikolaus" == Nikolaus Rath  writes:


Nikolaus> However, it seems to me that meeting someone in person
Nikolaus> isn't actually verifying the relevant identity here. My
Nikolaus> trust in a Debian developer is not based on him holding a
Nikolaus> particular legal name, it is in his history of
Nikolaus> contributions. In other words: just because I'm sure about
Nikolaus> someone's legal name, I wouldn't trust him to run code on
Nikolaus> my computer. But if someone has been contributing to
Nikolaus> Debian for 5 years with a specific GPG key, I'd probably
Nikolaus> trust him to prepare a package no matter if the name
Nikolaus> associated with the GPG key actually corresponds to some
Nikolaus> legal identity or not.


There are lots of types of trust involved.
I definitely think past contributions is part of it.
However, I also thing it's desirable that we have some probability of
being able to engage a legal process if we needed to.  Imagine someone
intentionally uploaded some  compromised software to Debian with the
purpose of harming our users/turning debian machines into bots/etc.

That's something we should not stand for, and being able to respond to
that sort of thing in the legal system does have to do with a binding to
a particular legal identity.

An in-person meeting is neither necessary nor sufficient for that sort
of legal binding, but I suspect in a number of cases it would help
significantly.

--Sam


-- 
To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/014b7a8b3b86-34c1547c-c3bb-4d4c-8241-c782ef02d3fd-000...@email.amazonses.com

Re: Why are in-person meetings required for the debian keyring?

[Vincent Bernat]

 ❦ 11 février 2015 11:17 -0800, Nikolaus Rath  :

> However, it seems to me that meeting someone in person isn't actually
> verifying the relevant identity here. My trust in a Debian developer is
> not based on him holding a particular legal name, it is in his history
> of contributions. In other words: just because I'm sure about someone's
> legal name, I wouldn't trust him to run code on my computer. But if
> someone has been contributing to Debian for 5 years with a specific GPG
> key, I'd probably trust him to prepare a package no matter if the name
> associated with the GPG key actually corresponds to some legal identity
> or not.

Some contributors are in the keyring under a pseudonym because of
valuable past contributions. See:
 https://lists.debian.org/debian-newmaint/2009/07/msg00044.html
-- 
Modularise.  Use subroutines.
- The Elements of Programming Style (Kernighan & Plauger)


signature.asc
Description: PGP signature

Re: Why are in-person meetings required for the debian keyring?

[Paul Tagliamonte]

On Wed, Feb 11, 2015 at 08:36:54PM +, Philip Hands wrote:
> Nikolaus Rath  writes:
> ...
> > Following that argument, I think a key should be signed and included in
> > the Debian keyring if it (the key) has a history of high quality
> > contributions. Meeting the keyholder in person to look at his passport
> > doesn't seem to add anything of particular value here. Why would I care
> > under what name he has been contributing?
>
> The thing it's trying to add is some assurance that, if it were
> necessary to eject someone from the project for whatever reason, that it
> is at least moderately hard for them to sneak back in under a different
> name.

I agree with Philip (as usual), but it's also the standard that we hold
ourselves to when signing someones OpenPGP key -- I can't assert
someone's identity matches without meeting them.

-- 
 .''`.  Paul Tagliamonte   |   Proud Debian Developer
: :'  : 4096R / 8F04 9AD8 2C92 066C 7352  D28A 7B58 5B30 807C 2A87
`. `'`  http://people.debian.org/~paultag
 `- http://people.debian.org/~paultag/conduct-statement.txt


signature.asc
Description: Digital signature

Re: Why are in-person meetings required for the debian keyring?

[Philip Hands]

Nikolaus Rath  writes:
...
> Following that argument, I think a key should be signed and included in
> the Debian keyring if it (the key) has a history of high quality
> contributions. Meeting the keyholder in person to look at his passport
> doesn't seem to add anything of particular value here. Why would I care
> under what name he has been contributing?
>
> Am I missing something?

The thing it's trying to add is some assurance that, if it were
necessary to eject someone from the project for whatever reason, that it
is at least moderately hard for them to sneak back in under a different
name.

Cheers, Phil.
-- 
|)|  Philip Hands  [+44 (0)20 8530 9560]  HANDS.COM Ltd.
|-|  http://www.hands.com/http://ftp.uk.debian.org/
|(|  Hugo-Klemm-Strasse 34,   21075 Hamburg,GERMANY


signature.asc
Description: PGP signature

Why are in-person meetings required for the debian keyring?

[Nikolaus Rath]

Hello,

I'm a little confused about the need to meet in-person to get a
signature that's acceptable for the Debian keyring.

I believe that Debian packages are signed on upload to ensure that they
have been prepared by a Debian Developer, because Debian Developers are
assumed to be trustworthy.

However, it seems to me that meeting someone in person isn't actually
verifying the relevant identity here. My trust in a Debian developer is
not based on him holding a particular legal name, it is in his history
of contributions. In other words: just because I'm sure about someone's
legal name, I wouldn't trust him to run code on my computer. But if
someone has been contributing to Debian for 5 years with a specific GPG
key, I'd probably trust him to prepare a package no matter if the name
associated with the GPG key actually corresponds to some legal identity
or not.

Following that argument, I think a key should be signed and included in
the Debian keyring if it (the key) has a history of high quality
contributions. Meeting the keyholder in person to look at his passport
doesn't seem to add anything of particular value here. Why would I care
under what name he has been contributing?

Am I missing something?

Disclaimer: I don't mind the requirement, I'm just curious why it's
there.

Best,
-Nikolaus
-- 
GPG encrypted emails preferred. Key id: 0xD113FCAC3C4E599F
Fingerprint: ED31 791B 2C5C 1613 AF38 8B8A D113 FCAC 3C4E 599F

 »Time flies like an arrow, fruit flies like a Banana.«


-- 
To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/87r3twgsvb@thinkpad.rath.org