[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Debconf-discuss] GPG keysigning?

On Fri, Jun 19, 2009 at 09:37:57PM +0300, Eddy Petrișor wrote:
> Before the KSP, thanks to your old posts I decided I would only sign
> keys for people that I at least saw (talked to) once before and who
> appeared to be who they claimed to be in the view of the other
> people present there. OTOH, for people visibly chasing signatures or
> being sloppy when checking the ID or not even looking at me, I
> decided I will not sign their keys.

Maybe I'm a strange bird here, but I really can't say I agree with the
arguments made here against signing keys after verifying government
issued passports. 

I think having verified a government-issued passport (that looks
authentic enough) and that the bearer resembles enough the photo on
that passport is much better than not having a well connected web of

If we want to get into the paranoid realm of some kind of government
agents who aren't who they claim to be, I think they will find a way
inside such an open project as Debian no matter what the key signing
policies of people.

The point is, my signature is good for a declaration that I have
verified the passport of a person and compared the photo to the face.
Whether someone then trusts that signature or not (and to what extent)
is of course their decision, but if I only signed keys of people I
know since childhood, it would make the web of trust much weaker and
trust paths to other people who I don't know very long with lots of
signatures from people who I don't know for no real benefit.

> Some of those people decided to sign my key although I had no
> contact with them before or after the KSP.
> IMO, *that* is plain wrong!

It's exactly what I consider good policy, if your ID looks good


Attachment: signature.asc
Description: Digital signature

Reply to: