[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Debconf-discuss] GPG keysigning?

On Thu, Jun 11, 2009 at 04:45:29PM +1000, Aníbal Monsalve Salazar wrote:
> I was thinking about accepting only keys that don't suffer from the
> recently discovered weaknesses.
> What people think about that?

I think that's a good idea, given that people can sign with their old
keys -- there seems little point in adding weight to a key that one
is (should be) retiring in the not too distant future.

I have a suggestion for improving the mass-signing procedure.

People (manoj? ;-) criticise mass signings on the basis that the take
too long and so by the end of it fatigue sets in and it becomes too easy
to wave any old ID in front of some people and get them to accept it.
The corollary of this is that the level of trust one puts in signatures
issued at mass signings is only as high as the competence of the least
competent person there, on a bad day.

I'd like to reverse that conclusion, so that the signatures generated
at our keysignings deserve a level of trust closer to the most diligent
person in the room.

I think that can be achieved by a couple of simple changes.

First, people who are not present should be announced, and the people
that are there should make not of that fact, so that someone cannot turn
up late in the expectation of more sloppy ID checks.

Second, if someone decides not to sign a key on the basis of suspicious
documents, they should announce that fact.  I'd suggest that the
announcement is done by shouting out the key number, and having someone
record the numbers.

The reason that I suggest shouting is, that despite that meaning that
there may be a certain amount of chaos at the start as the dodgy keys
are flushed out, it will establish a norm of rejecting dodgy ID, which
should work against the default group-think that would be encouraging
people not to make a fuss, and so err on the side of generosity.

The shouting thing might better be done by having people put their hands
up, to get permission to announce their suspicions, rather than everyone
just yelling.

Other people can then decide to cross that person off their list straight
away, or mark them for extra scrutiny, as they see fit.

Likewise, late arrivals can expect to get extra scrutiny.

In this way the average level of scrutiny should be closer to the upper
end of the paranoia of the people there.

This would also eliminate people that have fake ID from places that
most people wouldn't recognise at all -- we're almost bound to have a
local that will recognise it as fake, and so not sign.  By adding the
denouncement procedure that key will get signed by nobody at the key
signing, rather then getting signed by quite a lot of the people who
would have been convinced.

I'm sure there are ways of optimising this idea.

Cheers, Phil.

Reply to: