Schneier on Security

This is "Responsible Behavior" on a different level: http://www.theregister.co.uk/2008/01/04/another_stick_with_military_secrets_found/

Ok, I guess I'm missing something about the public key signing joke. Sorry. Can someone please take pity and explain why it's funny? Bob just signed Alice's key pair, and she is not trusted. Why's that bad?

@Jared, Because he was drunk when he signed it. :p

Because, PGP is a 'web of trust' or 'reputation' based trust relationship. If Alice turns out to be a "bad girl" and Bob has vouched for her, his credibility is now suspect (or more suspect that it might have been.)

Keep in mind that these web of trust relationships are a marginal decision if a signature/key is to be "trusted" (well, in ALL key mgmt. relationships it's marginal trust, but with PKI that trust decision is typically forced on the user by the organization.) If you don't trust a key unless Charles has signed it, and he makes a bad decision, do you still trust keys he has signed, or do you revoke his 'authority' to validate keys for you?

So, by signing her key, he has potentially besmirched his own reputation. Yeah, most geek jokes don't stand up to plain analysis and retain ANY of the actual humor.

Didn't you post this link before? (the public key one)

Well, a PKI would have sign keys for all sorts of unsavory characters. What would Alice have to do for the decision to be sound? Or on the flip side, what could Alice potentially get away with if Bob isn't careful about declaring her pair to be trustworthy?

And no worries, I love geek jokes. I have a sheet of red paper on my wall that says "If this sign is blue you're going too fast". So far, in 6 years, only two office passersby have gotten it.

As soon as I read that the other day, the first thing I thought of after laughing was "Bruce will be posting this soon."

Don't forget to check the alt-text (View Source on the page). It's often the best part of XKCD. For the first one:

"Never bring tequila to a key-signing party."

For the second:

"Viruses so far have been really disappointing on the 'disable the internet' front, and time is running out. When Linux/Mac win in a decade or so the game will be over."

It's not so much that Alice isn't trusted as that the signer has "no idea who she was. don't even know her name". A hierarchical PKI isn't supposed to sign keys in that situation either (of course, they do anyway: http://www.internetnews.com/dev-news/article.php/10_721571 ).

There's another xkcd cartoon that is 'security related':

http://xkcd.org/327

It is a beautiful explanation of SQL injection attacks.

Jeff, your fine explanation provides one point of humor in the cartoon, while from a "geek emotional life" angle, what's funny is simply that while he rues having signed her public key, the more pedestrian scenario his pal asks about never even crosses his mind.

Then on another level, it's hilarious to realize how awfully esoteric it is, and that you can still get humorous mileage out of such, well, cryptic suff.

Yes, explaning jokes does tend to kill them, but I think this particular one is a near masterpiece, as cartoons go.

Today's Sinfest comic is funny, too.

http://www.sinfest.net/archive_page.php?comicID=2677

"Didn't you post this link before? (the public key one)"

Unlikely. It was only published a few days ago.

I hereby retract my previous accusation. Happy Squid Blogging.

Ha! I had sent this one to Bruce prviously:

http://seattlepi.nwsource.com/fun/Bizarro.asp?date=20080102