[FOSDEM] Fake passport at FOSDEM 2016 keysigning?

Winfried Tilanus winfried at tilanus.com
Tue Feb 2 01:46:28 CET 2016

Hash: SHA512

On 02/01/2016 11:27 PM, Jens Stomber wrote:


First of all: I didn't notice the counterfeit passport and signed the
key. I should have noticed. And this incident is a wake-up call to
better check the presented ID's before accepting them.

Secondly, the knowledge about the fake passport brings me in a
difficult situation. Let me explain that a bit.

Any attempt to undermine the web of trust, is a serious blow to both
the open source and the security community. Though the motivation to
present a fake passport may be noble, its consequences can be severe
because it undermines an important tool for secure and authenticated
communication. So only if there are enough safeguards such a 'wakeup
call' can be done in a ethical way. I think about safeguards like:
- - revoking the offending key /before/ the keysigning event
- - announcing on forehand that, as part of a test, a fake passport may
be presented
- - revealing all the details right after the key signing event

The person causing the incident at FOSDEM did not have any safeguards
like these in place and seemed to have lacked any ethical or legal
consideration before taking this action. From a legal point of view it
is fraud to 'present a fake passport as if it is real'. At FOSDEM it
was done under Belgian jurisdiction and that kind of fraud is
punishable in Belgium with a jail sentence up to 10 years.

That brings me to my dilemma: Because of the consequences for the web
of trust, I would normally file a complaint (for fraud) against
anybody who presents me a fake id at a key signing party, except when
this was part of a test with enough ethical (and legal) safeguards. It
is clear that this action was not a case of malicious intent but mere
a case of being unthoughtful. But the only way that the person who has
done this can still make his actions more or less ethical is by still
revoking the key and by publicly stepping up and making a statement
about this test. But by doing so, he would provide the evidence for
his own fraud. I can not demand that from anyone. So I don't believe
this incident can still be turned into an 'ethical test'.

I really don't want to file a complaint against a fellow member of the
open source community. Neither do I want to bring Jens Stomber, Teddy
Hogeborn or the organisers of FOSDEM in the position of being witness
of a crime. But at the same time I believe that 'it was unthoughtful'
is not enough to not do so.

I honestly don't know how to react on this. I am in a position right
now, I don't want to be in. I also honestly hope there is an other
resolution possible then filing a complaint. The best I can do now, is
to give it some time and to think about it before taking action of any

with kind regards,

Winfried Tilanus
Coba Ritsemastraat 12
2642 CD  Pijnacker
The Netherlands

> Hi, I have been asked to forward this explaination with some 
> backgroundinformation to you:
> Hi,
> I'd be thankfull if you could forward my response to all (as web.de
> <http://web.de> won't let me send a mail to so many people).
> Greetings
> ----.
> Hi,
> looking back I must say it may not have been the best idea to do 
> this test. But at first I would like to inform you that the "fake" 
> passport was a sample passport,which actually contained correct 
> data.
> About the passport: It was made by the same company which actually 
> makes the official documents,there for most people which where
> only looking at the fancy security features failed here.
> I would like to remind the people who verify the documents for PGP 
> to actually check if the document makes any sense.Because besides 
> the fact that it was marked "Specimen" (which means example) it
> had some more noticeable points like:- the number of the passport
> was KD000000- the countrycode was non existent- there was no
> country named on the Document- the name of the company which
> manufactured it was printed on it multiple times
> Besides that (and yes I know with so many people there it is hard 
> to do so),I would prefer that you check the documents if you don't 
> know them andmaybe have a look at some of the basic security 
> features of the documents like cacert does for example.
> To the result of the test: From all people who where at the key 
> signing sadly only 20 noticedthat it was a sample Passport, to 
> those I then showed my correct passport.
> Greetings
> 2016-02-01 20:44 GMT+01:00 Teddy Hogeborn <teddy at recompile.se 
> <mailto:teddy at recompile.se>>:
> First, please excuse me for this mass unsolicited mailing, but I 
> believe that this will be of interest to you.
> At the FOSDEM 2016 keysigning, or rather, right after the 
> keysigning event, an unknown person approached me in the hallway 
> and my associate and suggested that they pitied us, and, upon 
> inquiry, admitted that it was due to us now having signed a fake 
> key.  When pressed for further details, he would only say that 
> someone unknown to him had confessed to using a false passport, 
> presumably in the keysigning.  He would not divulge anything 
> further.
> Now, surely this person, i.e. the person with the fake passport
> who may or may not exist, is willing to come forward and share the 
> results of their experiment?  No doubt they will be announcing the 
> details of their stunt, if only to make some point or other?  (See 
> also “Do not disrupt Wikipedia to illustrate a point”: 
> <https://en.wikipedia.org/wiki/WP:POINT>)
> In case they are not willing to immediately announce themselves, is
> anyone else able to shed further light or provide additional 
> details?
> /Teddy Hogeborn
> -- The Mandos Project http://www.recompile.se/mandos
> --
> Mit freundlichen Grüßen
> Jens Stomber
> Schönbergstr. 23
> 85057 Ingolstadt
> Germany
> E-Mail: jens.stomber at gmx.de <mailto:jens.stomber at gmx.de>
> Jabber: zombb at jabber.ccc.de <mailto:zombb at jabber.ccc.de>
> Tel.: +49 (0)841 / 37 99 285
> Mobil: +49 (0)151 / 54 82 82 37
> Fax: +49 (0)3212 / 1178019

Version: GnuPG v2


The content of all messages is the sole responsibility of the author.
More information about the FOSDEM mailing list