Re: Potential Summary: Keysigning in times of COVID-19
Quoting Ángel (2020-08-14 22:57:32) > On 2020-08-14 at 20:27 +0200, Jonas Smedegaard wrote: > > Seems we are talking about several things here: > > > > a) trusting an identity _without_ relying on governmental proof > > > > b) proving an identity using fake governmental proof > > > > It is my understanding that a) is illegal and punishable in many > > legal jurisdictions. > > > > It is my understanding that b) is currently tolerated in Debian but > > only exceptionally, and we are currently discussing if we should > > tolerate it more generally. > > > > I do believe that a) matters for Debian in discussing b), because > > the risk of punishment is an expense, and the more expensive it is > > to twist and bend rules the more likely those rules are followed and > > can therefore be trusted. > I think you meant to order them the opposite way... Whoops, yeah. Thanks! - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: signature
Re: Potential Summary: Keysigning in times of COVID-19
On 2020-08-14 at 20:27 +0200, Jonas Smedegaard wrote: > Seems we are talking about several things here: > > a) trusting an identity _without_ relying on governmental proof > > b) proving an identity using fake governmental proof > > It is my understanding that a) is illegal and punishable in many > legal > jurisdictions. > > It is my understanding that b) is currently tolerated in Debian but > only > exceptionally, and we are currently discussing if we should tolerate > it > more generally. > > I do believe that a) matters for Debian in discussing b), because the > risk of punishment is an expense, and the more expensive it is to > twist > and bend rules the more likely those rules are followed and can > therefore be trusted. > > > - Jonas I think you meant to order them the opposite way...
Re: Potential Summary: Keysigning in times of COVID-19
Quoting Adrian Bunk (2020-08-14 18:33:06) > On Thu, Aug 13, 2020 at 09:23:58PM +0100, Steve McIntyre wrote: > > On Thu, Aug 13, 2020 at 09:03:00PM +0200, Adam Borowski wrote: > > >On Thu, Aug 13, 2020 at 11:08:01PM +0530, Pirate Praveen wrote: > > >> I think the point about fake idenity documents is, it being a > > >> criminal activity and make one liable for prosecution. So it is > > >> not just about immediate cost of getting a fake id, but the is > > >> high risk if you are caught. Not all frauds get caught, but some > > >> do get caught and it probably serves as a deterrant or it > > >> sufficiently sets the bar very high (I think 3 letter agencies > > >> can still take the risk). > > > > > >I don't think someone could possibly be prosecuted for using a fake > > >passport to obtain a gpg signature. Especially with the link > > >between meeting a DD many months earlier and that criminal betrayal > > >being so tenuous. > > > > It's clearly fraudulent under at least UK law. I'm sure it would > > also be elsewhere. You might struggle to get police to pick up the > > *case*, but... > > This does not even matter when there are DDs who sign keys with fake > names that are not printed on any (real or fake) government > documents... Seems we are talking about several things here: a) trusting an identity _without_ relying on governmental proof b) proving an identity using fake governmental proof It is my understanding that a) is illegal and punishable in many legal jurisdictions. It is my understanding that b) is currently tolerated in Debian but only exceptionally, and we are currently discussing if we should tolerate it more generally. I do believe that a) matters for Debian in discussing b), because the risk of punishment is an expense, and the more expensive it is to twist and bend rules the more likely those rules are followed and can therefore be trusted. - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: signature
Re: Potential Summary: Keysigning in times of COVID-19
On Thu, Aug 13, 2020 at 09:23:58PM +0100, Steve McIntyre wrote: > On Thu, Aug 13, 2020 at 09:03:00PM +0200, Adam Borowski wrote: > >On Thu, Aug 13, 2020 at 11:08:01PM +0530, Pirate Praveen wrote: > >> I think the point about fake idenity documents is, it being a criminal > >> activity and make one liable for prosecution. So it is not just about > >> immediate cost of getting a fake id, but the is high risk if you are > >> caught. > >> Not all frauds get caught, but some do get caught and it probably serves as > >> a deterrant or it sufficiently sets the bar very high (I think 3 letter > >> agencies can still take the risk). > > > >I don't think someone could possibly be prosecuted for using a fake passport > >to obtain a gpg signature. Especially with the link between meeting a DD > >many months earlier and that criminal betrayal being so tenuous. > > It's clearly fraudulent under at least UK law. I'm sure it would also > be elsewhere. You might struggle to get police to pick up the *case*, > but... This does not even matter when there are DDs who sign keys with fake names that are not printed on any (real or fake) government documents... cu Adrian
Re: Potential Summary: Keysigning in times of COVID-19
On Thu, Aug 13, 2020 at 10:59:47PM +0200, Christian Kastner wrote: > On 2020-08-13 21:03, Adam Borowski wrote: > > I don't think someone could possibly be prosecuted for using a fake passport > > to obtain a gpg signature. > But even if it weren't a crime: Once the person waving the fake ID is > caught, it's unlikely that we'd see that person ever again at future > Debian events, as that would probably result in a call to law enforcement. Someone planning mischief won't attend a big event. > You can't change your own face (within reason), and exposing that face > is a risk. > > You can easily discard an online persona and create a new one, though. With ~1000 DDs, you can get 500 pairs of signatures without ever meeting the same person twice. Meow! -- ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ ⢿⡄⠘⠷⠚⠋⠀ It's time to migrate your Imaginary Protocol from version 4i to 6i. ⠈⠳⣄
Re: Potential Summary: Keysigning in times of COVID-19
On 2020-08-13 21:03, Adam Borowski wrote: > I don't think someone could possibly be prosecuted for using a fake passport > to obtain a gpg signature. In many (if not most) jurisdictions, using a fake government ID for any transaction whatsoever is a crime. It's not tied to monetary or any other gain. The deterrent is meant to be absolute. Otherwise it wouldn't be very effective. But even if it weren't a crime: Once the person waving the fake ID is caught, it's unlikely that we'd see that person ever again at future Debian events, as that would probably result in a call to law enforcement. You can't change your own face (within reason), and exposing that face is a risk. You can easily discard an online persona and create a new one, though.
Re: Potential Summary: Keysigning in times of COVID-19
On Thu, Aug 13, 2020 at 09:03:00PM +0200, Adam Borowski wrote: >On Thu, Aug 13, 2020 at 11:08:01PM +0530, Pirate Praveen wrote: >> I think the point about fake idenity documents is, it being a criminal >> activity and make one liable for prosecution. So it is not just about >> immediate cost of getting a fake id, but the is high risk if you are caught. >> Not all frauds get caught, but some do get caught and it probably serves as >> a deterrant or it sufficiently sets the bar very high (I think 3 letter >> agencies can still take the risk). > >I don't think someone could possibly be prosecuted for using a fake passport >to obtain a gpg signature. Especially with the link between meeting a DD >many months earlier and that criminal betrayal being so tenuous. It's clearly fraudulent under at least UK law. I'm sure it would also be elsewhere. You might struggle to get police to pick up the *case*, but... -- Steve McIntyre, Cambridge, UK.st...@einval.com < liw> everything I know about UK hotels I learned from "Fawlty Towers"
Re: Potential Summary: Keysigning in times of COVID-19
On 2020-08-13 at 17:57 +0200, Adam Borowski wrote: > On Thu, Aug 13, 2020 at 02:59:59AM +0200, Ángel wrote: > > as there would be an external motivation to do that which is financing > > such activity. Please note that by 'company' I am not meaning just > > business entities, but also three letter agencies, nation states, > > malicious hacker groups, mafia... > > Even ignoring the (likely) ability of such groups to get a passport > > under a name different than the one given at birth to an individual, > > it seems they would have little trouble to produce a new identity to > > present to Debian. I assume they would probably only have a few people > > on payroll with the required expertise tasked to infiltrate into the > > project, *however* it would be very easy to let them assume online the > > identity of any other employee (such as a non-technical receptionist), > > which would be plenty if compared to the number of "ghosthacker > > developers". > > I don't get where people get the feeling that producing a passport would > require a TLA/nation state/organized crime/etc. You can get one for > peanuts. > > I've been offered one once, and I inquired about the details -- for just > ~$25 (100PLN) the guy claimed it's done on original booklet, etc. That's > stuff for fooling actual government officials. No need to sacrifice that > whole $25 to get a fake for Debian purposes, though -- no one among us can > tell apart one booklet/card with a badly-made photo from another. > > Waving a passport or similar id offers laughable security. > > > Meow. Hi Please note that my point was that any determined 'company' could get multiple identities signed, without even involving crafting new passports or identity cards, which of course would also be within their reach. Would a TLA/nation state/organized crime/etc. be interested in being able to compromise Debian hosts? Sure. Amongst them, some would try hard for plausible deniability, while others directly don't care. If the keysigning is expected to protect (to a certain point) against this, it's a scenario to take into account, uncomfortable as it is. It might be possible that there is a better solution for that that could be included, or that it is determined that the system is fallible yet we don't have anything better so far to use. It is thus important to define what is expected from this step of the process. Best regards signature.asc Description: This is a digitally signed message part
Re: Potential Summary: Keysigning in times of COVID-19
On Thu, Aug 13, 2020 at 11:08:01PM +0530, Pirate Praveen wrote: > I think the point about fake idenity documents is, it being a criminal > activity and make one liable for prosecution. So it is not just about > immediate cost of getting a fake id, but the is high risk if you are caught. > Not all frauds get caught, but some do get caught and it probably serves as > a deterrant or it sufficiently sets the bar very high (I think 3 letter > agencies can still take the risk). I don't think someone could possibly be prosecuted for using a fake passport to obtain a gpg signature. Especially with the link between meeting a DD many months earlier and that criminal betrayal being so tenuous. Meow! -- ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ ⢿⡄⠘⠷⠚⠋⠀ It's time to migrate your Imaginary Protocol from version 4i to 6i. ⠈⠳⣄
Re: Potential Summary: Keysigning in times of COVID-19
On Thu, Aug 13, 2020 at 17:57, Adam Borowski wrote: I don't get where people get the feeling that producing a passport would require a TLA/nation state/organized crime/etc. You can get one for peanuts. I've been offered one once, and I inquired about the details -- for just ~$25 (100PLN) the guy claimed it's done on original booklet, etc. That's stuff for fooling actual government officials. No need to sacrifice that whole $25 to get a fake for Debian purposes, though -- no one among us can tell apart one booklet/card with a badly-made photo from another. Waving a passport or similar id offers laughable security. I think the point about fake idenity documents is, it being a criminal activity and make one liable for prosecution. So it is not just about immediate cost of getting a fake id, but the is high risk if you are caught. Not all frauds get caught, but some do get caught and it probably serves as a deterrant or it sufficiently sets the bar very high (I think 3 letter agencies can still take the risk).
Re: Potential Summary: Keysigning in times of COVID-19
On Thu, Aug 13, 2020 at 02:59:59AM +0200, Ángel wrote: > as there would be an external motivation to do that which is financing > such activity. Please note that by 'company' I am not meaning just > business entities, but also three letter agencies, nation states, > malicious hacker groups, mafia... > Even ignoring the (likely) ability of such groups to get a passport > under a name different than the one given at birth to an individual, > it seems they would have little trouble to produce a new identity to > present to Debian. I assume they would probably only have a few people > on payroll with the required expertise tasked to infiltrate into the > project, *however* it would be very easy to let them assume online the > identity of any other employee (such as a non-technical receptionist), > which would be plenty if compared to the number of "ghosthacker > developers". I don't get where people get the feeling that producing a passport would require a TLA/nation state/organized crime/etc. You can get one for peanuts. I've been offered one once, and I inquired about the details -- for just ~$25 (100PLN) the guy claimed it's done on original booklet, etc. That's stuff for fooling actual government officials. No need to sacrifice that whole $25 to get a fake for Debian purposes, though -- no one among us can tell apart one booklet/card with a badly-made photo from another. Waving a passport or similar id offers laughable security. Meow. -- ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ ⢿⡄⠘⠷⠚⠋⠀ It's time to migrate your Imaginary Protocol from version 4i to 6i. ⠈⠳⣄
Re: Potential Summary: Keysigning in times of COVID-19
Thanks for the summary, Sam. As an 'amicus' of the project, and interested on these topics, I wanted to provide my 2 cents. First of all, you are not the only one with this situation. The issue arises from the vague meaning of a signature on a pgp key, and also appears on other venues when using a network of pgp signatures. Be that "the" WoT or an internal one of DD, as soon as you have many people acting as introducers, with slightly different criteria, it ends up with a somewhat diffuse meaning. I do think it is important to define what are the objectives of the Developers PGP keys. Is it to ensure that the same online entity is responsible for all the uploads of that named individual? So that if there is some questionable action it can be traced back to the responsible individual? To make it hard to "game" the project? To have a single identifier? On the topic of malicious activity, I should note that, while it is important that there is a cost of entry that would be "burned" by activities that went to undermine the project goal, and certainly a zero-cost approach would attract many trolls, it is not impossible for a determined attacker: - A single determined individual might be able to get several identities by identifying through different DD, either under the same or different alias. I'd also not consider entirely true that "Each person only gets one real-world identity", but I don't think corner cases would be needed, when cleverly presenting itself through different introducers could probably get them in. - A 'company' that had a specific interest to weaken Debian (perhaps so that its systems are easier to compromise, or because it competes with their own products), to the point of tasking a number of individuals to that end. This would probably be a bigger threat than the previous one as there would be an external motivation to do that which is financing such activity. Please note that by 'company' I am not meaning just business entities, but also three letter agencies, nation states, malicious hacker groups, mafia... Even ignoring the (likely) ability of such groups to get a passport under a name different than the one given at birth to an individual, it seems they would have little trouble to produce a new identity to present to Debian. I assume they would probably only have a few people on payroll with the required expertise tasked to infiltrate into the project, *however* it would be very easy to let them assume online the identity of any other employee (such as a non-technical receptionist), which would be plenty if compared to the number of "ghosthacker developers". Finally, some technical points: * PGP signatures can include notations. The main problem is that they are not standardized, but a number of them could be defined with the desired meanings "I have checked a Government ID", "Online only", "Long time online interaction", "COVID-19", "Verified that the key owner has access to the associated email", "Group key" * PGP signatures can include an expiration. It is often the case that it is set to the key expiration, but it would be possible to sign a key for only a few months (considering that after that time it will be possible to meet IRL again). * The piece about matching them with a legal identity (the equivalent to verify a Passport) could be done through the Government eID, at least for those in the European Union (see eIDAS regulation). It may be possible to generalise it to other countries through ePassport. Probably "fun" to make it work (both the client and the verification part), but a PGP key cryptographically linked to the Government PKI would be more than a DD looking at a passport. Best regards Ángel signature.asc Description: This is a digitally signed message part
Re: Potential Summary: Keysigning in times of COVID-19
Quoting Sam Hartman (2020-08-12 13:59:07) > Enrico, I find that the sorts of discussions that you've started are > more valuable if someone goes back later and tries to summarize what > we've learned. > So I'm going to take a stab at that. Thanks, Sam - I find such summary quite helpful! ...even for a thread that I _did_ follow closely, in a calm setting¹ Amazing if someone should feel like doing this kind of summary for other threads as well. - Jonas ¹ Something on Orø, Denmark slows down time to a pleasant pace - you are all very welcome to come experience it, virtually or in person! -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: signature
Re: Potential Summary: Keysigning in times of COVID-19
Enrico, I find that the sorts of discussions that you've started are more valuable if someone goes back later and tries to summarize what we've learned. So I'm going to take a stab at that. I don't think we were seeking a consensus, and we didn't find one. What we did find is a number of approaches that seem to have sufficient support. If one of those works for you as a person contemplating signing a key, my take is that you should go for it. We received a number of different suggestions: * We could look at adopting some sort of more formal web of trust--sometimes permitting non-DD signatures to count toward trust in our key ring [Roberto C. Sánchez ] * There was a fair bit of discussion about video meetings. In general many people seemed to believe that these could be adequate. The counter argument is that it is difficult/impossible to explore the security features of government ID over such a meeting. Several people pointed out that most of us don't know how to test those security features anyway. I'd say that video meetings seem to have sufficient support that if you as an individual feel that meets your signing policy, go for it. * We had several people asking what value a government ID gives to us and suggesting that perhaps signing a long-established identity with a proven track record of work is acceptable. * Jonas provided a concrete suggestion for a rule that can apply in Covid although it does mean spending far more time interacting with people than someone who is anxious to get their key signed might want: >A rule that I try to apply for my key-signing, and which I think ties >into your interesting reflections here, is that I will sign the key of >someone whom I feel I would be able to recognize if randomly bumping >into them years later on a bus. >It forces me to try pay attention to the person for long enough that >they make a (hopefully) lasting impression on me. Often I suggest that >we sit for a moment and they tell something about themselves. Not an >interview or a test, just as an aid in etching an impression. Sometimes >we end up hanging out for longer than "needed". Sometimes the >atmosphere is too hectic and we cannot find the calm to tune in - and >then delay the "session". * Several people questioned whether government issued IDs are helpful. * We've had parts of this discussion before; see https://lists.debian.org/debian-project/2015/02/msg00017.html * Didier proposed another concrete rule that can work in the current times: >The line I try to stick with is "crowd knowledge": is this person I'm about to >sign the key of "known" as the name they claim to carry? Does their key "name" >correspond to one or some of the names they go by? In recent times (during >which physical encounters were still a possibility), I have actually asked >someone else around "can you tell me the name of this person I'm about to sign >the key of?" I have also often had a very small chit-chat: "what do you do in >Debian / free software?", "what brought you here?". It's not an interview per >se, but answers still matter. * Jonas pointed out that competence is different from authenticity. It is explicitly important that people be represented by a single identifier. * I expanded on that. We want to make it expensive for someone to build up an identifier with reputation and to risk that reputation by attacking Debian's integrity. That is, people spending a year to build trust and then burning that to get malicious artifacts into Debian is an attack I think we should care about. Binding identity back to a real world identity is one way to make this much more expensive. Each person only gets one real-world identity. If checking government IDs helps with that, then doing so can be useful. I point out that Jonas's rule is another way to accomplish the same. * Adrian Bunk indicated he thought that checking government IDs was an explicit requirement of all our key signings. It's clear from the discussion that's not the case. He then asked what the value was at all if there is not a single consistent approach. We kind of left him hanging without an answer. * Olek Wojnar and Jonathan McDowell proposed reframing the discussion in terms of our approach to identity verification rather than in terms of key signing policy. signature.asc Description: PGP signature