[clug] request for comment: new keysigning protocol

Steve McInerney steve at stedee.id.au
Wed Feb 10 23:42:24 MST 2010

On Thu, 2010-02-11 at 16:43 +1100, Alex Satrapa wrote:
> On 11/02/2010, at 16:19 , Steve McInerney wrote:
> > My 2c is that these processes are just as much security theatre as
> > having to take your shoes off at an airport check.
> Well, the process does insure that you have signed a key based on seeing someone carrying that key signature and an ID card that has the same name as the person who claims to own that key :)

Perhaps, or rather: which proves what exactly? :-)
Again, look at vetting as an example. Part of the checks are to test
that you're not a dead person; but there is *soooo* much more than that
elementary test.

Regardless, the process is invalidated - at best reducing - as soon as
they leave your sight. You have approximately zero guarantees the key
remains under their control; if indeed the key was ever under their

Excessively focusing on but one part of a very complex web of trusts to
the exclusion of others? That's theatre.

Or to re-describe by way of example:
I was banned from updating the daily crypto key change on GFE's at a
previous job - didn't have the appropriate special clearance. Fair
enough, them's the rules.
That I had 24x7 physical & root access to *all* the servers/workstations
(and GFE's...) on either side of the link in question seemed to escape
this rules situation.
ie. The crypto was irrelevant if I turned rouge. The harshest rules
being applied were focused on completely the wrong problem.

These key exchange events apply exactly the same illogic.

That doesn't make the process useless; but lets not get carried away
with their value either.

Says it all really.... :-)

- Steve

More information about the linux mailing list