lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Thu, 06 Oct 2011 11:58:22 -0400
From:	Jon Masters <jonathan@...masters.org>
To:	Valdis.Kletnieks@...edu
Cc:	Adrian Bunk <bunk@...sta.de>, "Frank Ch. Eigler" <fche@...hat.com>,
	"H. Peter Anvin" <hpa@...or.com>,
	"Rafael J. Wysocki" <rjw@...k.pl>,
	Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
	Greg KH <gregkh@...e.de>
Subject: Re: kernel.org status: establishing a PGP web of trust

On Tue, 2011-10-04 at 16:29 -0400, Valdis.Kletnieks@...edu wrote:
> On Mon, 03 Oct 2011 21:04:41 +0300, Adrian Bunk said:
> > On Mon, Oct 03, 2011 at 12:28:17PM -0400, Frank Ch. Eigler wrote:
> 
> > > What is the threat that this passport checking is intended to cure?
> > > That someone else might have been impersonating Rafael for years,
> > > sending patches, chatting in email and over the phone, and attending
> > > conferences?
> >
> > Key signing is an identity check.
> 
> That's dodging the issue. Somehow, I don't see Andrew Morton asking Linus to
> sign his key, and Linus saying "How do I know you're the *real* Andrew Morton?"
> And Andrew is a clever guy, if he was a fake Andrew, I'm sure he'd have gotten
> a fake ID that would be good enough to fool Linus, who is also a clever guy but
> I'm not aware of any special background he has in forgery detection. ;)

Exactly. This is why we really need to get over the stupidity of turning
up to keysigning parties and looking at passports from countries we've
never been to as if we could really even tell they weren't freshly
printed. I know I wouldn't know what a Russian passport is supposed to
look like, even though I've seen many apparently from that country.

What I'd like to see is "keysigning" parties where folks with well
established (in use) keys turn up and *prove* they own the key by
signing some information the other attendees provide. That way they can
not only say "hey, I'm dude X, trust me this is my fingerprint, here's a
photo ID" (which means nothing in the case of a well established online
identify that is trusted already), but they can say "hey, I have access
to this key, because I just signed that random message you gave me
interactively". Who cares who the heck they really are beyond that?
(intentionally a loaded statement to make the point).

Jon.


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ