Re: [Debconf-discuss] Call for keys for keysigning in Edinburgh during DebConf7
On Wed, 2007-05-09 at 09:33 +0100, Mark Brown wrote:
> The big problem people have with the enormous keysigning parties from a
> trust point of view is that they tend to be tiring and often a bit
> hurried. This tends to reduce the quality of the ID checking that is
> done substantially.
Yes, that's the main problem I see: most people seem to just go into
automatic mode of "stare at name on ID, tick off as correct" (not really
checking what the ID is/if it's valid/whatever, mostly not complaining
if the person looks nothing like the ID photo). Indeed, anyone doing
more extensive checks tends to get shouted at by others for slowing
everyone else down with them.
fil is optimistic about the filtering effect of the queue, but if people
aren't all making valid independent decisions (as they're not in my
experience) you should really just be signing everyone with some special
key for that keysigning, that people can choose to trust, not pretending
that each individual link is fully trustworthy.
(If someone fools only 10% of people at a big keysigning into signing
them as those people are in a rush etc., they've already got a lot of
trusted signatures -- web-of-trust calculations will assume those were
all checked independently.)
At the dc6 keysigning there were a number of people who just ignored the
instructions about not taking part if you hadn't checked the hash
already (as they wanted to get signatures, and wouldn't have another
chance as good soon), meaning that people signing them could mistakenly
have been signing any key with no relation to that person. (I
understand the same was true at the dc5 keysigning.) I tried asking
people if they really really had checked it etc., but while some people
admitted they hadn't, I'm not sure any of those actually stopped taking
part in the keysigning.
--
Moray
Reply to: