Scripsit Gunnar Wolf [EMAIL PROTECTED]
Henning Makholm dijo [Wed, May 31, 2006 at 04:10:51AM +0200]:
A KSP that depends on there being any pre-existing trust to abuse is
*completely worthless* as a KSP whether or not that trust is abused
or not.
Ummm... There is a certain metric of
Henning Makholm dijo [Wed, May 31, 2006 at 04:10:51AM +0200]:
Scripsit Javier Fernández-Sanguino Peña [EMAIL PROTECTED]
I do agree with Manoj that this was *not* a legitimate experiment (i.e.
not a red team test) and that Martin *did* abuse our [0] trust [1]
A KSP that depends on there
Manoj,
On Tue, May 30, 2006 at 09:52:11AM -0500, Manoj Srivastava wrote:
This is to forestall those of you who seem to be be arguing
that the debconf6 KSP crack was a red team attack -- here is how that
attack differed from a legitimate red team effort (I have been a
member of red
Manoj Srivastava [EMAIL PROTECTED] writes:
This is to forestall those of you who seem to be be arguing
that the debconf6 KSP crack was a red team attack -- here is how that
attack differed from a legitimate red team effort (I have been a
member of red teams before, and have lead a
On Tue, May 30, 2006 at 09:28:19AM -0700, Thomas Bushnell BSG wrote:
Manoj Srivastava [EMAIL PROTECTED] writes:
This is to forestall those of you who seem to be be arguing
that the debconf6 KSP crack was a red team attack -- here is how that
attack differed from a legitimate red
Javier Fernández-Sanguino Peña [EMAIL PROTECTED] writes:
Claiming that what Martin did was good since he was showing
something useful for our community is equivalent to saying it was a
red team attack. Nobody used that term explicitly probably because
they are unfamiliar with it. I know what
Javier Fernández-Sanguino Peña [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Claiming that what Martin did was good since he was showing something
useful
for our community is equivalent to saying it was a red team attack.
Nobody
used that term explicitly probably because they
Joe Smith [EMAIL PROTECTED] writes:
So, if KSPs are not changed, then the Web of trust becomes
effectively worthless. Manoj should be far more concerned about
that, then about Martin's demonstration of this.
Personally, I'm especially worried about the developers who were taken
in by the
also sprach Javier Fernández-Sanguino Peña [EMAIL PROTECTED] [2006.05.30.1920
+0200]:
I do agree with Manoj that this was *not* a legitimate experiment (i.e.
not a red team test) and that Martin *did* abuse our [0] trust [1]
I acknowledge this and would like to apologise to everyone.
My
also sprach Thomas Bushnell BSG [EMAIL PROTECTED] [2006.05.30.2002 +0200]:
Personally, I'm especially worried about the developers who were
taken in by the Transnational Republic ID. So, can we have
a fess up time now? Manoj, did you sign the key on this basis?
He did not.
--
Please do not
On Tuesday 30 May 2006 10:40, Joe Smith wrote:
But Martin decided to publish this experiment.
Is this really a bad thing? He proved that KSP are bad for the web of
trust.
Isn't what Martin and this thread actually demonstrated is that signing keys
based on IDs you cannot reasonably
also sprach Paul Johnson [EMAIL PROTECTED] [2006.05.30.2120 +0200]:
Even the guy at 7-Eleven has the big book of north american ID cards with
pictures and descriptions of what makes a real one for when they encounter an
ID that they've never seen before. Surely Debian can do as well as the
On Tue, May 30, 2006 at 12:20:14PM -0700, Paul Johnson wrote:
Even the guy at 7-Eleven has the big book of north american ID cards with
pictures and descriptions of what makes a real one for when they encounter an
ID that they've never seen before. Surely Debian can do as well as the guy
On Tuesday 30 May 2006 13:02, Adam Borowski wrote:
On Tue, May 30, 2006 at 12:20:14PM -0700, Paul Johnson wrote:
Even the guy at 7-Eleven has the big book of north american ID cards with
pictures and descriptions of what makes a real one for when they
encounter an ID that they've never seen
Paul Johnson wrote:
See, if you visit a bazaar, I bet a helpful guy with a Russian accent
can sell you a perfectly valid passport for less than $50. Several
years ago, a friend of mine actually asked someone at the Stadion
10-lecia in Warsaw, and was led to a guy with a number of blank
This one time, at band camp, Paul Johnson said:
On Tuesday 30 May 2006 13:02, Adam Borowski wrote:
See, if you visit a bazaar, I bet a helpful guy with a Russian
accent can sell you a perfectly valid passport for less than $50.
Several years ago, a friend of mine actually asked someone at
On Tue, May 30, 2006 at 01:57:18PM -0700, Paul Johnson wrote:
On Tuesday 30 May 2006 13:02, Adam Borowski wrote:
See, if you visit a bazaar, I bet a helpful guy with a Russian accent
can sell you a perfectly valid passport for less than $50. Several
years ago, a friend of mine actually
On Tuesday 30 May 2006 14:26, Steve Langasek wrote:
On Tue, May 30, 2006 at 01:57:18PM -0700, Paul Johnson wrote:
On Tuesday 30 May 2006 13:02, Adam Borowski wrote:
See, if you visit a bazaar, I bet a helpful guy with a Russian accent
can sell you a perfectly valid passport for less than
On Tuesday 30 May 2006 14:15, Linas Žvirblis wrote:
Paul Johnson wrote:
See, if you visit a bazaar, I bet a helpful guy with a Russian accent
can sell you a perfectly valid passport for less than $50. Several
years ago, a friend of mine actually asked someone at the Stadion
10-lecia in
On Tue, May 30, 2006 at 10:32:15AM -0700, Thomas Bushnell BSG wrote:
I am actually quite ambivalent about whether I think what he did was
wrong; I think to determine that I would need to read carefully what
the KSP organizers said. Martin certainly should follow the protocols
established, but
On Tue, May 30, 2006 at 01:57:18PM -0700, Paul Johnson wrote:
On Tuesday 30 May 2006 13:02, Adam Borowski wrote:
On Tue, May 30, 2006 at 12:20:14PM -0700, Paul Johnson wrote:
Even the guy at 7-Eleven has the big book of north american ID cards with
pictures and descriptions of what makes
On Tue, May 30, 2006 at 01:40:39PM -0400, Joe Smith wrote:
Is this really a bad thing? He proved that KSP are bad for the web of trust.
A legitimate attacker could abuse the KSP just as easilly as Martin, but
would result in actual damage, and would most likely not have been caught.
Ask
Javier Fern?ndez-Sanguino Pe?a [EMAIL PROTECTED] wrote:
Is this really a bad thing? He proved that KSP are bad for the web of trust.
A legitimate attacker could abuse the KSP just as easilly as Martin, but
would result in actual damage, and would most likely not have been caught.
Ask
On Tue, May 30, 2006 at 03:11:23PM -0700, Paul Johnson wrote:
On Tuesday 30 May 2006 14:26, Steve Langasek wrote:
On Tue, May 30, 2006 at 01:57:18PM -0700, Paul Johnson wrote:
On Tuesday 30 May 2006 13:02, Adam Borowski wrote:
See, if you visit a bazaar, I bet a helpful guy with a
On Tuesday 30 May 2006 16:02, Javier Fernández-Sanguino Peña wrote:
We are not talking about national security or public safety here, if Martin
wanted to prove that attacks against KSPs can happen he could have managed
his attack in an open way (as Manoj said contact management and get their
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Tue, 30 May 2006 15:09:25 -0700
Paul Johnson [EMAIL PROTECTED] wrote:
On Tuesday 30 May 2006 14:15, Linas Žvirblis wrote:
Paul Johnson wrote:
See, if you visit a bazaar, I bet a helpful guy with a Russian
accent can sell you a perfectly
Javier Fernández-Sanguino Peña [EMAIL PROTECTED] writes:
On Tue, May 30, 2006 at 10:32:15AM -0700, Thomas Bushnell BSG wrote:
I am actually quite ambivalent about whether I think what he did was
wrong; I think to determine that I would need to read carefully what
the KSP organizers said.
Scripsit Javier Fernández-Sanguino Peña [EMAIL PROTECTED]
I do agree with Manoj that this was *not* a legitimate experiment (i.e.
not a red team test) and that Martin *did* abuse our [0] trust [1]
A KSP that depends on there being any pre-existing trust to abuse is
*completely worthless* as a
28 matches
Mail list logo