Scripsit Gunnar Wolf <[EMAIL PROTECTED]>
> Henning Makholm dijo [Wed, May 31, 2006 at 04:10:51AM +0200]:
>> A KSP that depends on there being any pre-existing trust to abuse is
>> *completely worthless* as a KSP whether or not that trust is abused
>> or not.
> Ummm... There is a certain metric of
Henning Makholm dijo [Wed, May 31, 2006 at 04:10:51AM +0200]:
> Scripsit Javier Fernández-Sanguino Peña <[EMAIL PROTECTED]>
>
> > I do agree with Manoj that this was *not* a legitimate experiment (i.e.
> > not a "red team" test) and that Martin *did* abuse our [0] trust [1]
>
> A KSP that depends
Scripsit Javier Fernández-Sanguino Peña <[EMAIL PROTECTED]>
> I do agree with Manoj that this was *not* a legitimate experiment (i.e.
> not a "red team" test) and that Martin *did* abuse our [0] trust [1]
A KSP that depends on there being any pre-existing trust to abuse is
*completely worthless*
Javier Fernández-Sanguino Peña <[EMAIL PROTECTED]> writes:
> On Tue, May 30, 2006 at 10:32:15AM -0700, Thomas Bushnell BSG wrote:
>> I am actually quite ambivalent about whether I think what he did was
>> wrong; I think to determine that I would need to read carefully what
>> the KSP organizers sa
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Tue, 30 May 2006 15:09:25 -0700
Paul Johnson <[EMAIL PROTECTED]> wrote:
> On Tuesday 30 May 2006 14:15, Linas Žvirblis wrote:
> > Paul Johnson wrote:
> > >> See, if you visit a bazaar, I bet a helpful guy with a Russian
> > >> accent can sell you a
On Tuesday 30 May 2006 16:02, Javier Fernández-Sanguino Peña wrote:
> We are not talking about national security or public safety here, if Martin
> wanted to prove that attacks against KSPs can happen he could have managed
> his attack in an open way (as Manoj said "contact management and get their
On Tue, May 30, 2006 at 03:11:23PM -0700, Paul Johnson wrote:
> On Tuesday 30 May 2006 14:26, Steve Langasek wrote:
> > On Tue, May 30, 2006 at 01:57:18PM -0700, Paul Johnson wrote:
> > > On Tuesday 30 May 2006 13:02, Adam Borowski wrote:
> > > > See, if you visit a bazaar, I bet a helpful guy with
Javier Fern?ndez-Sanguino Pe?a <[EMAIL PROTECTED]> wrote:
> > Is this really a bad thing? He proved that KSP are bad for the web of trust.
> > A legitimate attacker could abuse the KSP just as easilly as Martin, but
> > would result in actual damage, and would most likely not have been caught.
>
>
On Tue, May 30, 2006 at 01:40:39PM -0400, Joe Smith wrote:
> Is this really a bad thing? He proved that KSP are bad for the web of trust.
> A legitimate attacker could abuse the KSP just as easilly as Martin, but
> would result in actual damage, and would most likely not have been caught.
Ask your
On Tue, May 30, 2006 at 01:57:18PM -0700, Paul Johnson wrote:
> On Tuesday 30 May 2006 13:02, Adam Borowski wrote:
> > On Tue, May 30, 2006 at 12:20:14PM -0700, Paul Johnson wrote:
> > > Even the guy at 7-Eleven has the big book of north american ID cards with
> > > pictures and descriptions of wha
On Tue, May 30, 2006 at 10:32:15AM -0700, Thomas Bushnell BSG wrote:
> I am actually quite ambivalent about whether I think what he did was
> wrong; I think to determine that I would need to read carefully what
> the KSP organizers said. Martin certainly should follow the protocols
> established,
On Tuesday 30 May 2006 14:15, Linas Žvirblis wrote:
> Paul Johnson wrote:
> >> See, if you visit a bazaar, I bet a helpful guy with a Russian accent
> >> can sell you a perfectly valid passport for less than $50. Several
> >> years ago, a friend of mine actually asked someone at the Stadion
> >> 1
On Tuesday 30 May 2006 14:26, Steve Langasek wrote:
> On Tue, May 30, 2006 at 01:57:18PM -0700, Paul Johnson wrote:
> > On Tuesday 30 May 2006 13:02, Adam Borowski wrote:
> > > See, if you visit a bazaar, I bet a helpful guy with a Russian accent
> > > can sell you a perfectly valid passport for le
On Tue, May 30, 2006 at 01:57:18PM -0700, Paul Johnson wrote:
> On Tuesday 30 May 2006 13:02, Adam Borowski wrote:
> > See, if you visit a bazaar, I bet a helpful guy with a Russian accent
> > can sell you a perfectly valid passport for less than $50. Several
> > years ago, a friend of mine actual
This one time, at band camp, Paul Johnson said:
> On Tuesday 30 May 2006 13:02, Adam Borowski wrote:
> > See, if you visit a bazaar, I bet a helpful guy with a Russian
> > accent can sell you a perfectly valid passport for less than $50.
> > Several years ago, a friend of mine actually asked someon
Paul Johnson wrote:
>> See, if you visit a bazaar, I bet a helpful guy with a Russian accent
>> can sell you a perfectly valid passport for less than $50. Several
>> years ago, a friend of mine actually asked someone at the Stadion
>> 10-lecia in Warsaw, and was led to a guy with a number of blan
On Tuesday 30 May 2006 13:02, Adam Borowski wrote:
> On Tue, May 30, 2006 at 12:20:14PM -0700, Paul Johnson wrote:
> > Even the guy at 7-Eleven has the big book of north american ID cards with
> > pictures and descriptions of what makes a real one for when they
> > encounter an ID that they've neve
On Tue, May 30, 2006 at 12:20:14PM -0700, Paul Johnson wrote:
> Even the guy at 7-Eleven has the big book of north american ID cards with
> pictures and descriptions of what makes a real one for when they encounter an
> ID that they've never seen before. Surely Debian can do as well as the guy
also sprach Paul Johnson <[EMAIL PROTECTED]> [2006.05.30.2120 +0200]:
> Even the guy at 7-Eleven has the big book of north american ID cards with
> pictures and descriptions of what makes a real one for when they encounter an
> ID that they've never seen before. Surely Debian can do as well as t
On Tuesday 30 May 2006 10:40, Joe Smith wrote:
> But Martin decided to publish this experiment.
> Is this really a bad thing? He proved that KSP are bad for the web of
> trust.
Isn't what Martin and this thread actually demonstrated is that signing keys
based on IDs you cannot reasonably authent
also sprach Thomas Bushnell BSG <[EMAIL PROTECTED]> [2006.05.30.2002 +0200]:
> Personally, I'm especially worried about the developers who were
> taken in by the Transnational Republic ID. So, can we have
> a "fess up" time now? Manoj, did you sign the key on this basis?
He did not.
--
Please
also sprach Javier Fernández-Sanguino Peña <[EMAIL PROTECTED]> [2006.05.30.1920
+0200]:
> I do agree with Manoj that this was *not* a legitimate experiment (i.e.
> not a "red team" test) and that Martin *did* abuse our [0] trust [1]
I acknowledge this and would like to apologise to everyone.
My
"Joe Smith" <[EMAIL PROTECTED]> writes:
> So, if KSPs are not changed, then the Web of trust becomes
> effectively worthless. Manoj should be far more concerned about
> that, then about Martin's demonstration of this.
Personally, I'm especially worried about the developers who were taken
in by t
"Javier Fernández-Sanguino Peña" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
Claiming that what Martin did was good since he was showing something
useful
for our community is equivalent to saying it was a "red team attack".
Nobody
used that term explicitly probably because t
Javier Fernández-Sanguino Peña <[EMAIL PROTECTED]> writes:
> Claiming that what Martin did was good since he was showing
> something useful for our community is equivalent to saying it was a
> "red team attack". Nobody used that term explicitly probably because
> they are unfamiliar with it. I kno
On Tue, May 30, 2006 at 09:28:19AM -0700, Thomas Bushnell BSG wrote:
> Manoj Srivastava <[EMAIL PROTECTED]> writes:
>
> > This is to forestall those of you who seem to be be arguing
> > that the debconf6 KSP crack was a red team attack -- here is how that
> > attack differed from a legit
Manoj Srivastava <[EMAIL PROTECTED]> writes:
> This is to forestall those of you who seem to be be arguing
> that the debconf6 KSP crack was a red team attack -- here is how that
> attack differed from a legitimate red team effort (I have been a
> member of red teams before, and have le
Manoj,
On Tue, May 30, 2006 at 09:52:11AM -0500, Manoj Srivastava wrote:
> This is to forestall those of you who seem to be be arguing
> that the debconf6 KSP crack was a red team attack -- here is how that
> attack differed from a legitimate red team effort (I have been a
> member of r
28 matches
Mail list logo
