Opened 8 years ago

Closed 8 years ago

#4049 closed task (fixed)

make ldap account for aagbsn

Reported by: arma Owned by: weasel
Priority: Medium Milestone:
Component: Company Version:
Severity: Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

We should make an account for aagbsn so he can have a gitweb aagbsn/bridgedb.git repo.

Child Tickets

Change History (13)

comment:1 Changed 8 years ago by arma

It would seem there either isn't a pgp key to be had, or it is not signed by anybody we know. We should at least learn what it is and proceed from there. :)

comment:2 Changed 8 years ago by aagbsn

it might be this


Version: GnuPG v1.4.11 (GNU/Linux)

mQENBE52ppcBCADg6v1GtQgtuKIto0j60gYHFq73un5+FuWZVL5IX1C8cU/gRhjA
57BJeIdUovQluyq1sCc8ocFqIEZLWcNKQ5912yZt9uN4WC5dYOZoLPoiwM86Lll+
86e38SbZhIPRy92SV4am0azkZuvP4NGM5rnTDZ2GJTSkovzWBc3hLpL5WpD7n+Ym
UqNgT74Q7EymeBmynUrCe9/NbzuYWKfLGaeC/RqQ5ZjbxoitZP9Btwy0vditBhta
OTTVSbi6qyYwY4rBFed6OOEPjC6WBWXoROBcmn+Gnu0T07S+jcUM4WZ3qV8eRMDl
Z7iRFWK2yqVeTXtbEbiw+hicjfaji6UwULdLABEBAAG0HkFhcm9uIEdpYnNvbiA8
YWFnYnNuQGV4dGMub3JnPokBOAQTAQIAIgUCTnamlwIbAwYLCQgHAwIGFQgCCQoL
BBYCAwECHgECF4AACgkQLEsjndh2yfYQ9wf/XsRlt+OXO+SK9fDxdssLME+up7Z5
nTAqHHdfl1JNVWxRh3BMp/EIbcbZUemj9VVjefd3Gj7m54zkgHibrPA/cu1RNlpI
rwN54ei/VSoa0MFtNWUnpVONuRALiXFzFqHYee6Ym9NTJmyHXKivkKx49IdTRG
bFIDXAswxYAa0LHMSFnk7ad30BP1GwR2+KIIMe7lSyPDXVycW8fZTiJcZt1hHJAr
tp8ShRTkIo/DgTCtJbiF66EXlo518zP2lCy2G9fCFf24Dhn/cSYC9Y/8UgTGnugA
cq4PSU6aYVccX3FDBr3T+abewIpF8aSbb94kiJRBZrmTlKIuL0PEwSNTi7kBDQRO
dqaXAQgAw6UNcyeLFsKwF1A2ZFqSPifny0RTzq+BNLkQQrn0CjPfEwuAn/HNTUiq
DLO4/hd2tW5+jkKqrUjRloczO6Pp8StlJ4jBcUc71/PmT4JhBJH2lpB1ypWHjOA3
qBr1xYO2VQLhFlWWLyfO9rLCRIDGzHpL7bo0A+W5+Zj2WiihNTJuXhH23QvR51YK
0Ndsy9TNiEU4jfh9ym85aQ5h1eBofN5A7X4tkoYP5DZUM1YlqQT/9HMoM3TSQme6
gZJWEFvwg39rs79zDobnuvx8lvGh5vBZpPP0GGKDVYzNjXBV6LCU0tyvghMcsAZ2
1wA+7dLCwPcJOSd1m4E6bVGR8aH/SQARAQABiQEfBBgBAgAJBQJOdqaXAhsMAAoJ
ECxLI53Ydsn27toIAL7wzltcFN0FZzOTL33jvoR6ZDXgxcPaemJGIvRpF3wI2tou
28GnKHTQKgmwHx/eITobH9x3wSW8UN/1h/Pv4oUcBg4Wmg19PdRiQ+W+WRFU7z4a
aapky+o/d/4O7mjmvibnrHHhxgHhDd2diMsKTvRBa7AaeM4yffy082eS9amqvk/6
UFTeg9X6jO7HC2ilwPNvp2ENZ+Hq0davyNtOpF4lc0XYm9/lsPRYONKRZtBEWg1a
rbkrx2QNBP9in28JeUmKM07TbjzaYkb2mWWy/L3WyQf7vUpLiNt4yygyQRezIBt9
Oie10r2sQ6SKH5nGcwsu1mYbw1Kh8k6Rxb8gzlQ=
=CAsb


comment:3 in reply to:  2 Changed 8 years ago by aagbsn

also see tag "gpg"

git show "gpg"

tag gpg
Tagger: aagbsn <aagbsn@extc.org>
Date:   Sun Sep 18 20:20:19 2011 -0700

verify
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEcBAABAgAGBQJOdrYJAAoJECxLI53Ydsn2pIUH/0FUAq6bcSWbhiF87UjIIaew
IxDDzTX70+nfoksHMcfQDNFuSQ6Oi3Vd3orIqqHE//rIwkp8zaDdiTyrCQtM+s1x
DTdU+Klfd/ZZ+O3tzokNGZmX19EuwYiQupIUW7riLVV8iFT2+KqwXAoOtqaohtuE
FxpbTTmQpeRGiJAZ9QXnB5Xfj7LW4L2EnQd6aOHHSNaeQo/Af2veT9w4f6DlLRUG
qV3DaklYAHpW9kzyaw9xtFUAVwGZPmT3Sv2hcVMIeKZ4uVOkZBN20FG8SnF5o6Nw
3mbA8sh1nRMBnEYvijVhzIjR2OzKqVV/ZQ4S9VI8021a8L2zjhV8NNQHYDb18tk=
=COlh
-----END PGP SIGNATURE-----

commit 9f377c129bf53ee0f02c761d58f06413bd7b650e

comment:4 Changed 8 years ago by arma

I can confirm that

pub   2048R/D876C9F6 2011-09-19
      Key fingerprint = 91D4 3A5B 1016 CEB6 D352  65AE 2C4B 239D D876 C9F6
uid                  Aaron Gibson <aagbsn@extc.org>
sub   2048R/E30723EE 2011-09-19

did in fact sign the tag on the github account that Mike said was aagbsn's bridgedb git repository.

comment:5 Changed 8 years ago by mikeperry

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I verify that aagbsn/gpg was signed by this key:

gpg: Signature made Sun 18 Sep 2011 08:24:57 PM PDT using RSA key ID D876C9F6
gpg: Good signature from "Aaron Gibson <aagbsn@extc.org>"
Primary key fingerprint: 91D4 3A5B 1016 CEB6 D352  65AE 2C4B 239D D876 C9F6

I pulled the tags through a git remote fetch via tor.

I obtained the GPG key 0xD876C9F6 from this trac ticket via a different
tor exit.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEARECAAYFAk52y1MACgkQGwyjDN3GwK2f8QCeMsbvU5qqCdesKUdLc9RXxQRq
NuIAnjfziK5ogOlH7WTUpMoRXqjWaz+Z
=7c+X
-----END PGP SIGNATURE-----

comment:6 Changed 8 years ago by mikeperry

aagbsn: to close the loop against an adversary at your upstream, you should make sure the fingerprint we see is the same one you have locally for your own key :)

Once that is verified, we've successfully bootstrapped trust. And all without anyone needing to smell anybody else!

comment:7 in reply to:  4 Changed 8 years ago by aagbsn

Replying to arma:

I can confirm that

pub   2048R/D876C9F6 2011-09-19
      Key fingerprint = 91D4 3A5B 1016 CEB6 D352  65AE 2C4B 239D D876 C9F6
uid                  Aaron Gibson <aagbsn@extc.org>
sub   2048R/E30723EE 2011-09-19

did in fact sign the tag on the github account that Mike said was aagbsn's bridgedb git repository.


Version: GnuPG v1.4.11 (GNU/Linux)

owGbwMvMwMSo460890bZyW+Mpw9sSmLwK3sxPSi1IKcyMy9doSRfITo5Pzc3Na/E
ykQhsSg3MdaKy07BUyE5MU8hOT8vLbMoV6EkI7EEKFhdXQ0kC0qTFBQUjAxMLIL0
XSzMzZwt3cyAXENDXQNLXUNLoAoI8E6tVEgDWpFaVFCUmVeiYKtgaehiomDsaOqk
YGhgaKbg7OpkpuBibGqkoGBm6uiqYORs4qRgZGzpogAyVgFkLtCw0swUBQzgmFiU
n6fgnplUDKRsEhPTk4rzHFIrSpL18ovS7YC6ipEc6WpsYG5k7OqK6sja2logmQI0
PTNPIS0xuUShODM9D+jVVIWSxHSFfAgzPbMkA2hUYnJyfinQD6CAUPDNzE5VKE4E
6ixPLFaAWK5erJBUlJmSnpqSBNKjUJRakF+cWZJfVKnH1ckow8LAyMTAxsoECnoG
Lk4BWISkXuBg2Nss7SGccKNh9aJFWqxd6aWh7t9mrYvomZXyXvVOfsa2X462pj0B
UqaHfSYovP73XcP59dzpt3vtVj5U/vdtbeippuuLju71jdyg2vp8O8OlqjcSJ7Tm
fnNt12ji/NGeunHHtW4BwZOP1xn+TOr1fmCu/2K95+m8p0n9d/o7Y8NyedKyGI6t
NUn2D9PmNDniv6PezKU/6H2UvKf7L+2Mkv1+59Y/+/VZTXDSZrHzKWlnDly78trd
5m39foOpSy3mmydILV3MfmjjmvvTdm7c6SHEwDW9tP7CFMGJC9jlNhx/EfU4r++K
XzbnZTGPtyprrIw3vJq/9NXm5oSF4TqWL/XXO50vaF6S8bKGbfU6LgA=
=Qj/D


comment:8 Changed 8 years ago by mikeperry

Status: newneeds_information

aagbsn: Technically from a best practices point of view, you would need to verify your own signature, aagbsn. arma and I already agree we both see the same key coming from you. You need to verify for yourself (via multiple authenticated paths, such as different tor circuits) that the key is the one you tried to use.

This act "closes the loop" and prevents the last adversary class that armadev and I cannot detect without your assistance.

Of course, if they are there, they probably will try to kill you before you warn us. But that also transmits information to us. Good luck! : )

comment:9 Changed 8 years ago by aagbsn

The author of this message does verify, by way of Tails VM, that the fingerprint of the public key posted by "aagbsn" and the fingerprint posted by "arma" do indeed match.


Version: GnuPG v1.4.11 (GNU/Linux)

iQEcBAABAgAGBQJOdvVsAAoJECxLI53Ydsn2YBsH/02z7LwDhP7D+r7xWQz1jr3a
BOS/zqF5ob7f5nMS7egHedKf89BRu41M11yO3+X2F7MoVpTLeysaFe6FiSnoyjgf
8OeRroMM6/YSN14QKJrXCernSijvBrE7XAhqFd6Zqdg9EkYUfWkMf6heXZfKOc59
0cGfeqZqUlnm8pH4JmplEjX+ZdtFf3wDkq5cyyUJZZV0GWc5kxzcuWIY1Q/fGmYr
tnEldpMyvxxv/RjP2zeU8+w8kstW8GDoIPgnNAnlTDPQPjF4JoyGspXE4KTDKo46
JgTO2RPoQYXWvSjCTZathv8QMA8D16fCZj32rPe+pOz0VMuf3hXnxMrpwJTiHuU=
=EsQb


comment:10 Changed 8 years ago by mikeperry

Sweet. And now everyone bow your heads in a moment of silence for the real aagbsn, who we can only presume The Adversary has long since killed.

However, since this death would be outside the threat model, we don't really need to mourn too long.

comment:11 Changed 8 years ago by arma

I signed D876C9F6 and sent it to the keyservers.

comment:12 Changed 8 years ago by weasel

Owner: changed from phobos to weasel
Status: needs_informationassigned

Tue 21:04:48 <weasel> armadev: preferred username, first/middle/last name, forwarding email address, pgp key fingerprint.
Tue 21:05:51 <armadev> aagbsn, Aaron Gibson, aagbsn@…, 91D4 3A5B 1016 CEB6 D352 65AE 2C4B 239D D876 C9F6

comment:13 Changed 8 years ago by weasel

Resolution: fixed
Status: assignedclosed

Final information collected:

Aaron Gibson <aagbsn@…>:

Assigned UID: 2030 GID: 2030
Email forwarded to: aagbsn@…
GECOS Field: "Aaron Gibson"
Login Shell: /bin/bash
Key Fingerprint: 91D43A5B1016CEB6D35265AE2C4B239DD876C9F6

Continue [No/yes]? yes

Note: See TracTickets for help on using tickets.