On key signing and trust

Posted on by under Crypto, Debian

Key signing is a hallowed tradition in the open source world with a very specific protocol for validating and confirming an identity before accepting someone to the web of trust. It’s almost never done without meeting the person being admitted into the trust relationship and it goes like this:

  1. Individuals meet for a beer, or at a key signing party (for those who just went wtf, yes, these things are real, and they are crazy fun! see below for the type of shenanigans that take place at these reality-altering parties)
  2. They exchange strips of paper or business cards with their name, email address, key fingerprint and key ID
  3. They validate each other’s identity using Government issued photo IDs
  4. Once cleared, they pull down each other’s key from the key servers
  5. They validate that the fingerprint of the downloaded key matches what’s written on the piece of paper and the photo IDs exchanged at introduction
  6. If everything checks out, they sign each other’s key
  7. For additional security, the signed key is encrypted using the public key of the recipient and emailed to the address indicated in the key

Let’s look at this unnerving and highly nerdy exchange that has replaced the “Hi, I’m Tom” with “Hi, I’m Tom and here’s my fingerprint and Government issued photo Id”. Here’s the rationale for some of the steps in this workflow.

The key is a personal identification and privacy instrument that is backed by strong science to assure non-repudiation. I will not go into the science in this post, but here’s where you may want to get started if you’re curious. An aspect about this workflow is that nothing is trusted until verified and the protocol is there to make sure that no compromise takes place.

At the beginning of the process, the public key is expected to be on a public key server network (such as pgp.mit.edu) and the meeting in person is to make sure that the key you’re signing (which is on a public system) belongs to the correct individual and not to an individual (or three letter agency) who’s masquerading as someone else. The most secure way to ensure that is in person (because we’re a paranoid bunch), as that will eliminate any chance of a malicious man in the middle. When one produces the piece of paper with the key fingerprint (again backed by strong science) the signer is able to confirm by comparing the fingerprint on the public server with the fingerprint that’s presented in person along with the official photo id, that the public key really belongs to the individual before him/her. The connection has now been made and technology has once again prevailed in mathematically assured validation of another’s identity. The party is just getting started.

Once identity is validated this way, the signer signs the key and uploads the key back to the key server or emails a copy of it. This can be done after the party in a more subdued setting without crazy paper shuffling and photo id validation madness. The astute and more paranoid amongst us, would encrypt it using the public key of the key being signed and email it to the address specified in the key because that’s a good way to validate the email address is correct and belongs to the right user. For the gnupg commands that make this workflow possible, check out the Debian Key signing howto.

In communities such as Debian, this process is mandatory to assure the trust in a system that is largely de-centralized. The Web of Trust that this creates gives rise to a truly magnificent network, which is difficult to subvert so long as the protocol is followed to ensure no compromise.

While this is good for cryptographically assured validation of one’s identity in a global network and non-repudiation of one’s contributions and electronic communications, trust is ultimately a very subjective attribute and probably can never be assured through a hash, because trust can be broken by people even though strong science says otherwise.

On Perl and Poetry

Posted on by under Rants, Technology

I first learnt of Perl in the late 90’s. Sometime around ’98 or ’99. Fresh on the heels of BASIC, I was yearning to try out something new when I heard of Perl. I heard it’s what the Internet ran on and it had an almost mythical air to it that made me want to learn it. If you wanted to build dynamic web sites at that time, you had few options, and Perl, Apache and UNIX was the workhorse. I wanted to build dynamic web sites so what I had to do was pretty clear. There was a new fangled thing called Java, but no way was it ever going to catch up to the dominance that Perl had over the Internet. Or so people thought.

Perl was the undisputed king of Internet 1.0. The language, with it’s knack for text processing coupled with it’s highly expressive syntax was ideal for building dynamic web sites. I saw how entwined Perl was in the UNIX sub-culture and how naturally it fit in, and together with Apache/mod_perl how it was poised to reign over the Internet for years to come. I then drifted into the world of enterprise Java and progressed from the monstrosity that was J2EE to the present day JEE, which has since redeemed itself and paid for it’s early sins, and when I came back several years have passed and Perl has been relegated to the position that new kids considered old and dead. However, nothing could be further from the truth.

In the often misunderstood syntax of Perl by those new to the language, who claim it to be cryptic or arcane, there’s an elegance and a beauty that is not always present in other languages and I find that I enjoy hacking on a Perl script more than chipping away at the Java mega-structures. It’s expressiveness and how you can mold the code to fit your pattern of thought by the many variations and permutations the language syntax offers plays a large part in this sense of aesthetic. There’s something about the language that’s reminiscent of a Bach fugue and poetry. I certainly do not feel the same way about Python, although Ruby comes a little close.

I don’t think I will ever stop coding Perl, and Perl 6 has a number of interesting language elements that I hope someday I will get to see, possible running on a GNU/HURD. Now wouldn’t that be a sight to behold?

To beacon, or not to beacon

Posted on by under General

The more I look into Bluetooth LE and beacon technology, the more I’m convinced that we’ve stumbled upon something very interesting and, even, *ahem* disruptive. I’m a bit reluctant to use the word “disruptive” as it has lost some of its meaning due to gross overuse, but I believe it describes the technology well. The wireless technology has being around for over a decade, but is now coming to the foreground specially on the micro-location front, which is showing a lot of promise. On another note, building a beacon using a Raspberry Pi seemed like an interesting project until I discovered that Bluetooth 4 USB modules are virtually non-existent in Sri Lanka. 

The PayPal beacon is a wonderful example of this at work. It’s very exciting to think about the possibilities that this could unleash. PayPal’s hands-free payments is completely re-defining the payment experience in a very novel way. It gets even more interesting when companies start carving out their own territories around this, as evidenced by Apple’s patent filings. My disgust for patents and the associated territorial pissing which in my opinion hinders innovation, is best left for another post.

 

2013, a retrospective

Posted on by under General

It has been an interesting year in ways that I did not anticipate. Looking back, I’d like to recount a few things so that I don’t forget the experiences that have dramatically altered my worldview, hopefully for the better. I’d like to remember these fleeting moments, as they’re too precious to be lost. Here they are, in no particular order.

  • It feels good to walk for the first time without support after an extended period on a hospital bed. The first unsure steps, like a child, are both exhilarating and scary. The slow steps, the deep breaths, and victory. The blessings of human mobility.
  • The seconds before general anesthesia. Unsure about what’s going to happen. Succumbing to the uncertainty. General sense of well being, even though NOT. Numbness traveling up the leg, starting at the fingertips. Fluttering of eyelids, coldness, and out.
  • Waking up thinking “Made It”, on more than one occasion. Colorful and vivid morphine-induced dreams.
  • Drinking water. Never did it taste so good. Thinking “why I didn’t I enjoy this more?”
  • Feeling satisfied and carefree when the last drain tube is out. Going for another walk without the chains and shackles this time, beaming and happy.
  • Taking bad news with a “crap, in a bit of a pickle”. Wishing there weren’t so many people around me. Thankful there weren’t some people around me.
  • Taking good news with a “hmm, that’s great”. Thinking “what’s next”, and where to go for lunch.
  • Waiting expectantly for the visiting hours and seeing Wathsala walk in at the strike of the clock. All is well.
  • Sleeping to the sound of a waterfall. My neighbor’s snoring and sleep-talk required me to explore this option. It worked out well.
  • Sleeping in my own bed and thinking how low-tech it is. The light streaming through an open window and a gentle breeze. It’s 11am on a Tuesday and I’m in bed and not at work.
  • Being breathless after a trip across the room.
  • Doing breathing exercises using a contraption that made me want to keep bettering myself to impress the nurses. Wathsala knew what was going on and was in silent support of it. Or so I presume.
  • The real beauty of loving and caring human beings. Honestly, there’s no bigger service than nursing someone to health.
  • Observing the activities of the Vietnamese drug lord and his two mistresses in an adjoining bed. His hefian mannerisms and attire intrigued the hell out of me. Didn’t see him after he was wheeled out for surgery. I figured he requested for a different bed. Wonder why.
  • Reading “Ape Gama” by Martin Wickramasinghe after many many years and thinking, “that is just beautiful”.
  • Visits from old friends.
  • Wearing the sarong like a boss. Proudly brandishing the national attire on the many trips abroad and vowing to stick with it for good. More “why I didn’t do this before?”.
  • Walking into the hospital like I owned the place. Being recognized. Probably as the guy who visits Mount Elizabeth wearing a sarong. Proud to be that guy.
  • Visits to the temple. More, “why didn’t I do this before?”
  • Hearing about those who were praying for my recovery from other people. Some who I had not even met, until just today.
  • Feeling grateful for my A team of Poh-Koh-Tan for pulling me out of a mess.
  • Dr. Liang banging his head on the table when he found out I was flying out the next day. He wanted more time to work with the “interesting case”. I granted him his wish.
  • Hearing old voices on the phone unexpectedly.
  • Hearing the sound of the crows outside the General Hospital in the morning. Inspiration shows up in unexpected places.
  • Being sick of soup. To this day.
  • Stories of talking dogs and cats and elaborate back-stories for doing what they did.
  • Shaking my cousins hand in the recovery room as I drifted in and out of sleep.
  • Waiting for the first rays of sunlight after a sleepless night.
  • Experiencing pain, and knowing it will pass. And it did.
  • Phone calls from my friends, following my every step of the way and helping me on.

It’s been an interesting year and I hope 2014 would be an interesting one too, and if all goes according to plan, it will. Stay tuned.

Software Freedom Day 2013 @ Virtusa

Posted on by under General

This last week, the fine folk at the Virtusa Open Source SIG organized an event to celebrate the Software Freedom Day where my good friends Mifan and Suchetha made keynotes. Also in attendance was Arunan, so it was a re-union of sorts with some old friends. It’s been a while since I have participated in anything open source / free software, and it was great to see the old flame is still alive at Virtusa, and I hope it helps in shaping their worldviews and brings as much purpose to them as it did to me more than 10 years ago.

The last SFD I attended was in 2008. I blogged about it here with some photos available in my surprisingly-still-around flickr account. It was in Chinatown in Boston and I drove up from Pennsylvania, mostly to get my mind off things. It was there that I purchased a copy of “Free Software, Free Society”, a collection of essays by Richard Stallman. Five years later, I picked up the dusty book from my shelf and re-read the GNU manifesto, to get my mind back to the core principles.

 Image

Source: http://www.flickr.com/photos/aweeraman/sets/72157600555500824/

It was there, as I was flipping through the pages, that I saw RMS in a whole new light. His uncompromising tenacity in the face of control and oppression and unfaltering stance on ethics and morality of freedom. He is a true freedom fighter. His message sometimes gets lost in all the pandemonium we go through daily but the spirit of the freedom he preached is very much alive every time we believe that knowledge should be free and that everybody should have access to it. I hope this message continues to inspire folks for years to come.