Re: [Debconf-discuss] Call for keys for keysigning in Edinburgh during DebConf7

To: debconf-discuss@lists.debconf.org
Subject: Re: [Debconf-discuss] Call for keys for keysigning in Edinburgh during DebConf7
From: Philip Hands <phil@hands.com>
Date: Wed, 09 May 2007 13:51:00 +0100
Message-id: <[🔎] 4641C3B4.5090008@hands.com>
In-reply-to: <[🔎] 1178710462.27746.141.camel@ascendit.sermisy.org>
References: <20070506130725.GR20882@debianrules.debiancolombia.org> <[🔎] 20070508002904.GF16078@cerdita.puerquita.cochinita.chanchita.damog.net> <[🔎] 20070508012633.GY20882@debianrules.debiancolombia.org> <[🔎] 20070508172304.GD5194@belanna.comodo.priv.at> <[🔎] 20070508202016.GC32754@cerdita.puerquita.cochinita.chanchita.damog.net> <[🔎] 20070508221503.GA11801@takhisis.invalid> <[🔎] 878xby9a2j.fsf@glaurung.internal.golden-gryphon.com> <[🔎] 20070509000711.GA4811@cerdita.puerquita.cochinita.chanchita.damog.net> <[🔎] 874pmm977d.fsf@glaurung.internal.golden-gryphon.com> <[🔎] 20070509004026.GE23200@outback.rfc2324.org> <[🔎] 20070509083323.GD20049@sirena.org.uk> <[🔎] 1178710462.27746.141.camel@ascendit.sermisy.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Moray Allan wrote:
> On Wed, 2007-05-09 at 09:33 +0100, Mark Brown wrote:
>> The big problem people have with the enormous keysigning parties from a
>> trust point of view is that they tend to be tiring and often a bit
>> hurried.  This tends to reduce the quality of the ID checking that is
>> done substantially.
> 
> Yes, that's the main problem I see: most people seem to just go into
> automatic mode of "stare at name on ID, tick off as correct" (not really
> checking what the ID is/if it's valid/whatever, mostly not complaining
> if the person looks nothing like the ID photo).  Indeed, anyone doing
> more extensive checks tends to get shouted at by others for slowing
> everyone else down with them.

This is a problem, and I agree that it becomes difficult to remain properly
alert to the end of a signing.

> fil is optimistic about the filtering effect of the queue, but if people
> aren't all making valid independent decisions (as they're not in my
> experience) you should really just be signing everyone with some special
> key for that keysigning, that people can choose to trust, not pretending
> that each individual link is fully trustworthy.

This sounds like it might be an interesting idea, but given that the IDs
need to be checked by individuals anyway, perhaps all you need to do is to
make sure that the better connected people in the web-of-trust are evenly
distributed through the line, and then only bother doing the rotation as
many times as it takes for someone to get from one well signed person to
the next -- that is liable to get everyone within about one trust hop of
where they would get if the keysigning continued to the bitter end, so
would be equivalent to having a keysigning key that all attendees signed
and that signed all keys, without the single point of compromise.

> (If someone fools only 10% of people at a big keysigning into signing
> them as those people are in a rush etc., they've already got a lot of
> trusted signatures -- web-of-trust calculations will assume those were
> all checked independently.)

Well, if they fool only 10% then they're liable to be rejected by at least
5 out of the first 10 people that they see, even if they're lucky -- if we
encourage people to be vocal about their rejections, and to pass the fact
of rejections on to their neighbours, I really don't see those people
staying in the line, or the few people that had previously accepted the
doubtful ID following through and signing that key.

Perhaps we need to introduce a protocol for denouncing keys that are only
supported by doubtful IDs, and to encourage people to make use of it.

The reason people get laxer as such events go on is that they are aware
that the person's ID has already been checked by an increasing number of
people, so perhaps we should just curtail the whole thing after about 10 ID
checks, or make it clear that after about the 10th check, it's perfectly
acceptable to wander off.  That, combined with some way of ensuring that
missing people are not allowed to join in the line late (after ID check
fatigue starts to set in) should sort the problem out, and speed things up
as people wean themselves out as they get tired, rather than just doing
cursory checks.

> At the dc6 keysigning there were a number of people who just ignored the
> instructions about not taking part if you hadn't checked the hash
> already (as they wanted to get signatures, and wouldn't have another
> chance as good soon), meaning that people signing them could mistakenly
> have been signing any key with no relation to that person.  (I
> understand the same was true at the dc5 keysigning.)  I tried asking
> people if they really really had checked it etc., but while some people
> admitted they hadn't, I'm not sure any of those actually stopped taking
> part in the keysigning.

Hm, that is a problem -- I got the impression that several such people
quickly learnt that they could get their (or someone else's as the case may
be) key signed by lying about having done the check -- there's not much
that the potential signer can do about being lied to in that case -- adding
the mechanism to denounce the key when you are told that it's not been
checked would deal with this problem, since they'd then be kicked out of
the line, and an announcement could be made for people to strike that key
off, so that they cannot sneak back into the line later, and start lying.

Cheers, Phil.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGQcOyYgOKS92bmRARAuAoAJ440qxCKCfsPdFuh+PEIi0S8ZdzUACdGBnS
rn5Q09xVSC5rI1rFsHxNSyg=
=ZOAa
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: [Debconf-discuss] Call for keys for keysigning in Edinburgh during DebConf7
  - From: Moray Allan <moray@sermisy.org>

References:
- Re: [Debconf-discuss] Call for keys for keysigning in Edinburgh during DebConf7
  - From: David Moreno Garza <damog@ciencias.unam.mx>
- Re: [Debconf-discuss] Call for keys for keysigning in Edinburgh during DebConf7
  - From: Aníbal Monsalve Salazar <anibal@v7w.com>
- Re: [Debconf-discuss] Call for keys for keysigning in Edinburgh during DebConf7
  - From: gregor herrmann <gregor+debian@comodo.priv.at>
- Re: [Debconf-discuss] Call for keys for keysigning in Edinburgh during DebConf7
  - From: David Moreno Garza <damog@ciencias.unam.mx>
- Re: [Debconf-discuss] Call for keys for keysigning in Edinburgh during DebConf7
  - From: Stefano Zacchiroli <zack@debian.org>
- Re: [Debconf-discuss] Call for keys for keysigning in Edinburgh during DebConf7
  - From: Manoj Srivastava <srivasta@acm.org>
- Re: [Debconf-discuss] Call for keys for keysigning in Edinburgh during DebConf7
  - From: David Moreno Garza <damog@ciencias.unam.mx>
- Re: [Debconf-discuss] Call for keys for keysigning in Edinburgh during DebConf7
  - From: Manoj Srivastava <srivasta@acm.org>
- Re: [Debconf-discuss] Call for keys for keysigning in Edinburgh during DebConf7
  - From: Maximilian Wilhelm <max@rfc2324.org>
- Re: [Debconf-discuss] Call for keys for keysigning in Edinburgh during DebConf7
  - From: Mark Brown <broonie@sirena.org.uk>
- Re: [Debconf-discuss] Call for keys for keysigning in Edinburgh during DebConf7
  - From: Moray Allan <moray@sermisy.org>

Prev by Date: Re: [Debconf-discuss] Call for keys for keysigning in Edinburgh during DebConf7
Next by Date: Re: [Debconf-discuss] Call for keys for keysigning in Edinburgh during DebConf7
Previous by thread: Re: [Debconf-discuss] Call for keys for keysigning in Edinburgh during DebConf7
Next by thread: Re: [Debconf-discuss] Call for keys for keysigning in Edinburgh during DebConf7
Index(es):
- Date
- Thread