incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marvin Humphrey <mar...@rectangular.com>
Subject Re: key signing
Date Thu, 11 Oct 2012 18:07:31 GMT
On Thu, Oct 11, 2012 at 12:00 AM, Branko ─îibej <brane@apache.org> wrote:

> So instead of giving too much credence to government-issued IDs, you'd
> prefer to give credence to a service provided "for free" by a commercial
> entity with a conceivable interest in inserting backdoors in software or
> subverting trust in certain keys (a.k.a. Google), with the whole thing
> being archived in as system controlled by another commercial entity
> (a.k.a. YouTube, incidentally a.k.a. Google), with no public oversight
> of those archives.

The beauty of multi-factor authentication is that any one factor may have
weaknesses, so long as it remains infeasible to compromise all of them.

Giving an unaccountable proprietary entity like Google a role is indeed a
weakness, just as relying on fallible amateurs to detect potentially forged
government-issued IDs is a weakness.  In a layered system, neither weakness
need be fatal.

> I'm sure you'd sue Google and win if they fake the archive.

I'm confused as to what attack vector you're describing here.

Since Google controls the only copies of the video, in theory they might
"photoshop" its content to alter the appearance of one of the participants --
but that seems implausible because of technical challenges.

It's possible Google could "accidentally" misplace some video content, though.

In the sample/rough-draft protocol I described, the archived video serves two
purposes:

In the short term, it provides footage for third parties contacted out-of-band
(via e.g. phone or email) to review and provide testimonials: "Yes, that's my
colleague Noah Slater, who I've known for 5 years".  Should the video archive
mysteriously vanish before that loop closes, key signing aborts and the system
remains uncompromised.

In the long term, the archived video serves to deter would-be identity
spoofers by capturing their faces and voices for posterity.  An attacker who
has the ability to remove the video (conspirator, rogue employee, cracker who
has compromised Google's servers or more likely the account hosting the video)
would still have to overcome other obstacles -- establishing control over an
ASF committer account, preventing third parties contacted out-of-band from
raising red flags, etc.  It seems to me that the potential dissappearance of
archived video degrades deterrence by a small amount, but that so long as
other factors retain their integrity, the degradation is nowhere near enough
to bring down the system.

Marvin Humphrey

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message