Re: Keysigning in times of COVID-19
On 2020-08-13 at 16:43 +0200, Pierre-Elliott Bécue wrote: > > gpg has a `--ask-cert-expire` flag and a `--default-cert-expire` > > option in that effect. Expired certification signatures will be > > ignored when building the Web of Trust. > > > > Cheers > > This could work, but we'd have to handle the case when developers > forget to set a signature as time-limited/don't follow this thread and > never care to set it up. > > I'd rather avoid relying on signatures, than making the meaning of > signature quite less tangible. I don't see your point. We have a general standard or what to require for signing, and this thread started asking about weaking them due to the pandemic. Limiting the time the signature is valid is a time-limited way to do that. And it is a cryptographic one, which is a very nice feature. I would like to have some common notation so that the standard used could be tracked, too. If a developer is going to forget how to do a "weak value" signature, he should probably stick to the standards he has generally used, but anyway, if someone wanted to do a limited-time signature but forgot the parameter, he should do exactly the same as if he signed Eve key while intending to sing Alice's: revoke the wrong signature and create a new one. Regards Ángel signature.asc Description: This is a digitally signed message part
Re: Potential Summary: Keysigning in times of COVID-19
On Thu, Aug 13, 2020 at 10:59:47PM +0200, Christian Kastner wrote: > On 2020-08-13 21:03, Adam Borowski wrote: > > I don't think someone could possibly be prosecuted for using a fake passport > > to obtain a gpg signature. > But even if it weren't a crime: Once the person waving the fake ID is > caught, it's unlikely that we'd see that person ever again at future > Debian events, as that would probably result in a call to law enforcement. Someone planning mischief won't attend a big event. > You can't change your own face (within reason), and exposing that face > is a risk. > > You can easily discard an online persona and create a new one, though. With ~1000 DDs, you can get 500 pairs of signatures without ever meeting the same person twice. Meow! -- ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ ⢿⡄⠘⠷⠚⠋⠀ It's time to migrate your Imaginary Protocol from version 4i to 6i. ⠈⠳⣄
Re: Potential Summary: Keysigning in times of COVID-19
On 2020-08-13 21:03, Adam Borowski wrote: > I don't think someone could possibly be prosecuted for using a fake passport > to obtain a gpg signature. In many (if not most) jurisdictions, using a fake government ID for any transaction whatsoever is a crime. It's not tied to monetary or any other gain. The deterrent is meant to be absolute. Otherwise it wouldn't be very effective. But even if it weren't a crime: Once the person waving the fake ID is caught, it's unlikely that we'd see that person ever again at future Debian events, as that would probably result in a call to law enforcement. You can't change your own face (within reason), and exposing that face is a risk. You can easily discard an online persona and create a new one, though.
Re: Potential Summary: Keysigning in times of COVID-19
On Thu, Aug 13, 2020 at 09:03:00PM +0200, Adam Borowski wrote: >On Thu, Aug 13, 2020 at 11:08:01PM +0530, Pirate Praveen wrote: >> I think the point about fake idenity documents is, it being a criminal >> activity and make one liable for prosecution. So it is not just about >> immediate cost of getting a fake id, but the is high risk if you are caught. >> Not all frauds get caught, but some do get caught and it probably serves as >> a deterrant or it sufficiently sets the bar very high (I think 3 letter >> agencies can still take the risk). > >I don't think someone could possibly be prosecuted for using a fake passport >to obtain a gpg signature. Especially with the link between meeting a DD >many months earlier and that criminal betrayal being so tenuous. It's clearly fraudulent under at least UK law. I'm sure it would also be elsewhere. You might struggle to get police to pick up the *case*, but... -- Steve McIntyre, Cambridge, UK.st...@einval.com < liw> everything I know about UK hotels I learned from "Fawlty Towers"
Re: Potential Summary: Keysigning in times of COVID-19
On 2020-08-13 at 17:57 +0200, Adam Borowski wrote: > On Thu, Aug 13, 2020 at 02:59:59AM +0200, Ángel wrote: > > as there would be an external motivation to do that which is financing > > such activity. Please note that by 'company' I am not meaning just > > business entities, but also three letter agencies, nation states, > > malicious hacker groups, mafia... > > Even ignoring the (likely) ability of such groups to get a passport > > under a name different than the one given at birth to an individual, > > it seems they would have little trouble to produce a new identity to > > present to Debian. I assume they would probably only have a few people > > on payroll with the required expertise tasked to infiltrate into the > > project, *however* it would be very easy to let them assume online the > > identity of any other employee (such as a non-technical receptionist), > > which would be plenty if compared to the number of "ghosthacker > > developers". > > I don't get where people get the feeling that producing a passport would > require a TLA/nation state/organized crime/etc. You can get one for > peanuts. > > I've been offered one once, and I inquired about the details -- for just > ~$25 (100PLN) the guy claimed it's done on original booklet, etc. That's > stuff for fooling actual government officials. No need to sacrifice that > whole $25 to get a fake for Debian purposes, though -- no one among us can > tell apart one booklet/card with a badly-made photo from another. > > Waving a passport or similar id offers laughable security. > > > Meow. Hi Please note that my point was that any determined 'company' could get multiple identities signed, without even involving crafting new passports or identity cards, which of course would also be within their reach. Would a TLA/nation state/organized crime/etc. be interested in being able to compromise Debian hosts? Sure. Amongst them, some would try hard for plausible deniability, while others directly don't care. If the keysigning is expected to protect (to a certain point) against this, it's a scenario to take into account, uncomfortable as it is. It might be possible that there is a better solution for that that could be included, or that it is determined that the system is fallible yet we don't have anything better so far to use. It is thus important to define what is expected from this step of the process. Best regards signature.asc Description: This is a digitally signed message part
Re: Potential Summary: Keysigning in times of COVID-19
On Thu, Aug 13, 2020 at 11:08:01PM +0530, Pirate Praveen wrote: > I think the point about fake idenity documents is, it being a criminal > activity and make one liable for prosecution. So it is not just about > immediate cost of getting a fake id, but the is high risk if you are caught. > Not all frauds get caught, but some do get caught and it probably serves as > a deterrant or it sufficiently sets the bar very high (I think 3 letter > agencies can still take the risk). I don't think someone could possibly be prosecuted for using a fake passport to obtain a gpg signature. Especially with the link between meeting a DD many months earlier and that criminal betrayal being so tenuous. Meow! -- ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ ⢿⡄⠘⠷⠚⠋⠀ It's time to migrate your Imaginary Protocol from version 4i to 6i. ⠈⠳⣄
Re: Potential Summary: Keysigning in times of COVID-19
On Thu, Aug 13, 2020 at 17:57, Adam Borowski wrote: I don't get where people get the feeling that producing a passport would require a TLA/nation state/organized crime/etc. You can get one for peanuts. I've been offered one once, and I inquired about the details -- for just ~$25 (100PLN) the guy claimed it's done on original booklet, etc. That's stuff for fooling actual government officials. No need to sacrifice that whole $25 to get a fake for Debian purposes, though -- no one among us can tell apart one booklet/card with a badly-made photo from another. Waving a passport or similar id offers laughable security. I think the point about fake idenity documents is, it being a criminal activity and make one liable for prosecution. So it is not just about immediate cost of getting a fake id, but the is high risk if you are caught. Not all frauds get caught, but some do get caught and it probably serves as a deterrant or it sufficiently sets the bar very high (I think 3 letter agencies can still take the risk).
Re: Potential Summary: Keysigning in times of COVID-19
On Thu, Aug 13, 2020 at 02:59:59AM +0200, Ángel wrote: > as there would be an external motivation to do that which is financing > such activity. Please note that by 'company' I am not meaning just > business entities, but also three letter agencies, nation states, > malicious hacker groups, mafia... > Even ignoring the (likely) ability of such groups to get a passport > under a name different than the one given at birth to an individual, > it seems they would have little trouble to produce a new identity to > present to Debian. I assume they would probably only have a few people > on payroll with the required expertise tasked to infiltrate into the > project, *however* it would be very easy to let them assume online the > identity of any other employee (such as a non-technical receptionist), > which would be plenty if compared to the number of "ghosthacker > developers". I don't get where people get the feeling that producing a passport would require a TLA/nation state/organized crime/etc. You can get one for peanuts. I've been offered one once, and I inquired about the details -- for just ~$25 (100PLN) the guy claimed it's done on original booklet, etc. That's stuff for fooling actual government officials. No need to sacrifice that whole $25 to get a fake for Debian purposes, though -- no one among us can tell apart one booklet/card with a badly-made photo from another. Waving a passport or similar id offers laughable security. Meow. -- ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ ⢿⡄⠘⠷⠚⠋⠀ It's time to migrate your Imaginary Protocol from version 4i to 6i. ⠈⠳⣄
Re: BSP Reimbursements
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi Debianites On 2019/10/02 16:43, Sam Hartman wrote: > TL;DR: Do we want BSP organizers to take on the responsibility of > batching together travel reimbursement requests. > > HI. A while back, I suspended the automatic approval of reimbursement s > for attending BSPs. You can still ask for approval for attending a > BSP, you can't just send me a reimbursement request with no approval. > > We had a bit of discussion about how things ought to/might work here. > Holger proposed that it would make more sense for the people running > BSPs to batch approvals kind of like we do for sprints and > mini-DebConfs. > > If we want to do things that way, no action is required on my part. I > am very willing to approve such budgets, and even to amend such budget s > if it looks like more people are coming. But I do actually want to se e > them ahead of time, just so I know what's going on. > > So, if we're generally happy with BSP organizers putting together a > travel budget and handling who will get reimbursed, then I think the > next step is to write up how to do that on the wiki. > I'd appreciate it if someone would volunteer to do that. > If you get text together, please drop treasu...@debian.org a note aski ng > for review (that also reaches me). > > Asking BSP organizers to help with this is great from the DPL side. > The only concern is if it pushes the effort involved in organizing a > BSP up too much so people don't want to do it. > > If that ends up being the case I'm happy with some sort of automatic > approval process for DDs attending BSPs (and easy approval for other > contributors when that makes sense). > But let's figure out if we want BSP organizers to handle this first. Not sure exactly what bearing this email still has. As far as I understand it, this affected the policy of the DPL at the time based on current circumstances. It was not coded into any policy or in any procedures. However, since some feel that the above is still in affect, let me take this opportunity to state that any implications that the above email had on reimbursement policy no longer has any effect whatsoever. Having said that, I actually agree with Sam that we need better policies around this. Moray and myself are looking at rebooting a local team support/help/bootstrapping/admin/etc group, which may well be a delegation, and on top of that, might also take on some responsibilities for local team budgets and approving certain kinds of expenditures (like BSPs). If you're interested in helping shape that, and especially if you're active in a local team already, then please join our BoF session at DebConf20: https://debconf20.debconf.org/talks/50-local-teams/ - -Jonathan, Debian Project Leader - -- ⢀⣴⠾⠻⢶⣦⠀ Jonathan Carter (highvoltage) ⣾⠁⢠⠒⠀⣿⡁ https://wiki.debian.org/highvoltage ⢿⡄⠘⠷⠚⠋ https://debian.org | https://jonathancarter.org ⠈⠳⣄ Debian, the universal operating system. -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEExyA8CpIGcL+U8AuxsB0acqyNyaEFAl81Z60ACgkQsB0acqyN yaHG0xAAvkhXBaSOMZ3U4ztkS5Pk84TtOH7lAjvf8CDKvPx7AS64e7668aWCHA5o uEXW37adRDuHulQqW1rCMe1coGzRuIE2JQHwnGPno+5HlR4uL/x58sgnTwDmLCr4 YKS+A3e11gWBWbKcpsBrWBLpDa0zlluzNZL76JhIZOo0xxBD80g0xo/OgeogDwul sb4OKM0oAJJ3n8Dk7YyR7Ulpo+kDnKvY2MyB6prmum4tKPXdfhnsf8giSAxg6qK5 px6pppfvRLflLsOxjG4klJ1AMTvjaxtXbfnY4g3m0oMREY4oy0ttasrRm0mqKKYy SQ/hhVE5Og1QaMIB3U6DROsQ6i8kCk2UedJNb7pFulD8TvWksx6wLileSIumqf4E p/h5RU2xP9aZkmbBkehjLWyfyAr+az2/RvWDSucdTQcF7pViaDh8cwF1G4m2hrZn cjoNWDiYMTkiCY0aP+4DkMw7+A0qvNkOoaOuL13HcBTOA4BbHuacPOslVfa9guI6 EeGHjmBicQeytTUHBcCyhoizIBY7fcbx78YX0oC8NMSd2AI7F3PlGyNrBzvVTrd5 DqfBIx9LykAhrLz6QQCJdymE+Tx7LbiK81/usPXTJ+IremdL0VrjLF865C02s4Vu eSBRXkYHYtBQDpzMDK3kumFW2nPP63w60lNOKT+NzV3h1dRzX90= =SPfh -END PGP SIGNATURE-
Re: Keysigning in times of COVID-19
Le jeudi 13 août 2020 à 14:29:35+0200, Guilhem Moulin a écrit : > Hi, > > On Thu, 13 Aug 2020 at 14:11:14 +0200, Pierre-Elliott Bécue wrote: > > Le jeudi 13 août 2020 à 07:42:29-0400, Sam Hartman a écrit : > >>> "Paul" == Paul Wise writes: > >> > >> Paul> On Wed, Aug 12, 2020 at 3:27 PM Pierre-Elliott Bécue wrote: > >> >> I'd rather try to solve the issue in a more sensible way : lower > >> >> the number of expected GPG signatures to 0 temporarily, and ask > >> >> for two or three advocacies from DDs. > >> > >> Paul> This seems like the most natural solution to the problem of > >> Paul> COVID mentioned thus far. > >> > >> How do you feel about the idea of short-term expirations on signatures > >> proposed in the previous message on the list? > > > > Unless I missed a GPG capability, this seems kinda technically hard to > > do. > > gpg has a `--ask-cert-expire` flag and a `--default-cert-expire` option > in that effect. Expired certification signatures will be ignored when > building the Web of Trust. > > Cheers This could work, but we'd have to handle the case when developers forget to set a signature as time-limited/don't follow this thread and never care to set it up. I'd rather avoid relying on signatures, than making the meaning of signature quite less tangible. -- Pierre-Elliott Bécue GPG: 9AE0 4D98 6400 E3B6 7528 F493 0D44 2664 1949 74E2 It's far easier to fight for one's principles than to live up to them. signature.asc Description: PGP signature
Re: Keysigning in times of COVID-19
Hi, On Thu, 13 Aug 2020 at 14:11:14 +0200, Pierre-Elliott Bécue wrote: > Le jeudi 13 août 2020 à 07:42:29-0400, Sam Hartman a écrit : >>> "Paul" == Paul Wise writes: >> >> Paul> On Wed, Aug 12, 2020 at 3:27 PM Pierre-Elliott Bécue wrote: >> >> I'd rather try to solve the issue in a more sensible way : lower >> >> the number of expected GPG signatures to 0 temporarily, and ask >> >> for two or three advocacies from DDs. >> >> Paul> This seems like the most natural solution to the problem of >> Paul> COVID mentioned thus far. >> >> How do you feel about the idea of short-term expirations on signatures >> proposed in the previous message on the list? > > Unless I missed a GPG capability, this seems kinda technically hard to > do. gpg has a `--ask-cert-expire` flag and a `--default-cert-expire` option in that effect. Expired certification signatures will be ignored when building the Web of Trust. Cheers -- Guilhem. signature.asc Description: PGP signature
Re: Keysigning in times of COVID-19
Le jeudi 13 août 2020 à 07:42:29-0400, Sam Hartman a écrit : > > "Paul" == Paul Wise writes: > > Paul> On Wed, Aug 12, 2020 at 3:27 PM Pierre-Elliott Bécue wrote: > >> I'd rather try to solve the issue in a more sensible way : lower > >> the number of expected GPG signatures to 0 temporarily, and ask > >> for two or three advocacies from DDs. > > Paul> This seems like the most natural solution to the problem of > Paul> COVID mentioned thus far. > > How do you feel about the idea of short-term expirations on signatures > proposed in the previous message on the list? Unless I missed a GPG capability, this seems kinda technically hard to do. -- Pierre-Elliott Bécue GPG: 9AE0 4D98 6400 E3B6 7528 F493 0D44 2664 1949 74E2 It's far easier to fight for one's principles than to live up to them. signature.asc Description: PGP signature
Re: Keysigning in times of COVID-19
Le jeudi 13 août 2020 à 03:36:11+, Paul Wise a écrit : > > This wouldn't solve the broader issue that can arise when one lives in a > > place with no close DD and wants to become a DD themselves. > > Given the "problems" that are being discussed on another thread in > another location, I think there is an obvious solution to solve both > issues at the same time, once the COVID situation allows it. Could you ellaborate a bit on this part, I feel that I have missed something. -- Pierre-Elliott Bécue GPG: 9AE0 4D98 6400 E3B6 7528 F493 0D44 2664 1949 74E2 It's far easier to fight for one's principles than to live up to them. signature.asc Description: PGP signature
Re: Keysigning in times of COVID-19
On Wednesday, August 12, 2020 11:36:11 PM Paul Wise wrote: > Given the "problems" that are being discussed on another thread in > another location, I think there is an obvious solution to solve both > issues at the same time, once the COVID situation allows it. ??
Re: Keysigning in times of COVID-19
> "Paul" == Paul Wise writes: Paul> On Wed, Aug 12, 2020 at 3:27 PM Pierre-Elliott Bécue wrote: >> I'd rather try to solve the issue in a more sensible way : lower >> the number of expected GPG signatures to 0 temporarily, and ask >> for two or three advocacies from DDs. Paul> This seems like the most natural solution to the problem of Paul> COVID mentioned thus far. How do you feel about the idea of short-term expirations on signatures proposed in the previous message on the list?
Re: Potential Summary: Keysigning in times of COVID-19
Thanks for the summary, Sam. As an 'amicus' of the project, and interested on these topics, I wanted to provide my 2 cents. First of all, you are not the only one with this situation. The issue arises from the vague meaning of a signature on a pgp key, and also appears on other venues when using a network of pgp signatures. Be that "the" WoT or an internal one of DD, as soon as you have many people acting as introducers, with slightly different criteria, it ends up with a somewhat diffuse meaning. I do think it is important to define what are the objectives of the Developers PGP keys. Is it to ensure that the same online entity is responsible for all the uploads of that named individual? So that if there is some questionable action it can be traced back to the responsible individual? To make it hard to "game" the project? To have a single identifier? On the topic of malicious activity, I should note that, while it is important that there is a cost of entry that would be "burned" by activities that went to undermine the project goal, and certainly a zero-cost approach would attract many trolls, it is not impossible for a determined attacker: - A single determined individual might be able to get several identities by identifying through different DD, either under the same or different alias. I'd also not consider entirely true that "Each person only gets one real-world identity", but I don't think corner cases would be needed, when cleverly presenting itself through different introducers could probably get them in. - A 'company' that had a specific interest to weaken Debian (perhaps so that its systems are easier to compromise, or because it competes with their own products), to the point of tasking a number of individuals to that end. This would probably be a bigger threat than the previous one as there would be an external motivation to do that which is financing such activity. Please note that by 'company' I am not meaning just business entities, but also three letter agencies, nation states, malicious hacker groups, mafia... Even ignoring the (likely) ability of such groups to get a passport under a name different than the one given at birth to an individual, it seems they would have little trouble to produce a new identity to present to Debian. I assume they would probably only have a few people on payroll with the required expertise tasked to infiltrate into the project, *however* it would be very easy to let them assume online the identity of any other employee (such as a non-technical receptionist), which would be plenty if compared to the number of "ghosthacker developers". Finally, some technical points: * PGP signatures can include notations. The main problem is that they are not standardized, but a number of them could be defined with the desired meanings "I have checked a Government ID", "Online only", "Long time online interaction", "COVID-19", "Verified that the key owner has access to the associated email", "Group key" * PGP signatures can include an expiration. It is often the case that it is set to the key expiration, but it would be possible to sign a key for only a few months (considering that after that time it will be possible to meet IRL again). * The piece about matching them with a legal identity (the equivalent to verify a Passport) could be done through the Government eID, at least for those in the European Union (see eIDAS regulation). It may be possible to generalise it to other countries through ePassport. Probably "fun" to make it work (both the client and the verification part), but a PGP key cryptographically linked to the Government PKI would be more than a DD looking at a passport. Best regards Ángel signature.asc Description: This is a digitally signed message part
Re: Keysigning in times of COVID-19
On Wed, Aug 12, 2020 at 3:27 PM Pierre-Elliott Bécue wrote: > I'd rather try to solve the issue in a more sensible way : lower the > number of expected GPG signatures to 0 temporarily, and ask for two or > three advocacies from DDs. This seems like the most natural solution to the problem of COVID mentioned thus far. > We'd lose a bit of ID verification security for the DM status, but we > could regain this security when the DM applies to become a DD, as they'd > have to reach out to other developers and get their key signed. We could also ask them to get signatures once the COVID situation in their area allows them to do that. > This wouldn't solve the broader issue that can arise when one lives in a > place with no close DD and wants to become a DD themselves. Given the "problems" that are being discussed on another thread in another location, I think there is an obvious solution to solve both issues at the same time, once the COVID situation allows it. -- bye, pabs https://wiki.debian.org/PaulWise