| 1 |
On Tuesday 06 August 2002 02:00 am, Ryan Phillips wrote: |
| 2 |
> On Mon, 5 Aug 2002 23:18:52 +0200 |
| 3 |
> |
| 4 |
> Lukas Beeler <lb-lists@××××××××××××.org> wrote: |
| 5 |
> > * Ryan Phillips <ryan.phillips@××××.edu>: |
| 6 |
> > > Not entirely the case... Daniel could call me, and since I trust |
| 7 |
> > > daniels PGP key I could have him sign a quote that I state over the |
| 8 |
> > > phone. |
| 9 |
> > |
| 10 |
> > And how exactly do you make sure, that you are talking to Daniel? |
| 11 |
> > You dont have a Passport, which officially states who he is, you |
| 12 |
> > cant compare the foto. Signing over a phone line is completely |
| 13 |
> > worthless, and destroys the web of trust. |
| 14 |
> |
| 15 |
> I'm guessing I would meet him at Linux World... |
| 16 |
|
| 17 |
Not only that, but you *can* verify someone is who they say they are over the |
| 18 |
phone, if you've spoken to them in the past and can recognize their voice. |
| 19 |
Now if you want to get into ultra-paranoid concerns about people synthesizing |
| 20 |
or mimicking someone elses voice than go right on ahead, but I would point |
| 21 |
out that it would be easier for a cracker to make a fake passport with his |
| 22 |
picture on it and claim the developer's identity in person, so even a face to |
| 23 |
face meeting isn't foolproof. |
| 24 |
|
| 25 |
The moral: if the CIA or the FBI are intent on 'cracking' gentoo, then they |
| 26 |
are probably going to succeed. However, it is extraordinarilly unlikely that |
| 27 |
they would have any reason or incentive to do so, and the deception will |
| 28 |
collaps anyway as soon as the real developer emerges or discovers things are |
| 29 |
being signed on his/her behalf. |
| 30 |
|
| 31 |
In a more general sense, there are two webs of trust that need to be |
| 32 |
addressed, separately. |
| 33 |
|
| 34 |
One is the web of trust between developers. Spider, drobbins, et. al. need to |
| 35 |
be able to be confident that things signed by each other and other developers |
| 36 |
are authentic. This web of trust should be built carefully, ideally by face |
| 37 |
to face meetings or a key-signing party, but snail mailing a hard copy of the |
| 38 |
public key fingerprint, and verifying the credentials over the phone once it |
| 39 |
arrives, is more than likely very sufficient. |
| 40 |
|
| 41 |
The other is the web of trust between the developers and the world at large. |
| 42 |
This can be a little looser, and should probably take the form of a public |
| 43 |
keyring of all the developers' public keys, downloadable from a separate |
| 44 |
server than the rsync and tarball mirrors are downloaded from, made available |
| 45 |
on several diverse, independent public key servers, and probably sold on |
| 46 |
CDROM for a nominal price for companies and organizations that want to be |
| 47 |
really, really certain they've got legitimate keys. |
| 48 |
|
| 49 |
Nothing is perfect, but this is a solid foundation for building up a good web |
| 50 |
of trust. Solid is really all we can ask for, and I would suggest it is a |
| 51 |
mistake to refrain from doing anything merely because perfection is |
| 52 |
impossible. In a world of billions, we can't ALL attend key signing parties |
| 53 |
and meet the people we correspond with face to face, just as we cannot verify |
| 54 |
every signature, on every letter we receive. This is no reason for people to |
| 55 |
start passing unsigned checks, however. |
| 56 |
|
| 57 |
Jean. |
Archives