[clug] request for comment: new keysigning protocol
Steve McInerney
steve at stedee.id.au
Wed Feb 10 23:42:24 MST 2010
On Thu, 2010-02-11 at 16:43 +1100, Alex Satrapa wrote:
> On 11/02/2010, at 16:19 , Steve McInerney wrote:
>
> > My 2c is that these processes are just as much security theatre as
> > having to take your shoes off at an airport check.
>
> Well, the process does insure that you have signed a key based on seeing someone carrying that key signature and an ID card that has the same name as the person who claims to own that key :)
Perhaps, or rather: which proves what exactly? :-)
Again, look at vetting as an example. Part of the checks are to test
that you're not a dead person; but there is *soooo* much more than that
elementary test.
Regardless, the process is invalidated - at best reducing - as soon as
they leave your sight. You have approximately zero guarantees the key
remains under their control; if indeed the key was ever under their
control.
Excessively focusing on but one part of a very complex web of trusts to
the exclusion of others? That's theatre.
Or to re-describe by way of example:
I was banned from updating the daily crypto key change on GFE's at a
previous job - didn't have the appropriate special clearance. Fair
enough, them's the rules.
That I had 24x7 physical & root access to *all* the servers/workstations
(and GFE's...) on either side of the link in question seemed to escape
this rules situation.
ie. The crypto was irrelevant if I turned rouge. The harshest rules
being applied were focused on completely the wrong problem.
These key exchange events apply exactly the same illogic.
That doesn't make the process useless; but lets not get carried away
with their value either.
http://xkcd.com/538/
Says it all really.... :-)
Cheers!
- Steve
More information about the linux
mailing list