On Fri, Jun 19, 2009 at 09:37:57PM +0300, Eddy Petrișor wrote: > Before the KSP, thanks to your old posts I decided I would only sign > keys for people that I at least saw (talked to) once before and who > appeared to be who they claimed to be in the view of the other > people present there. OTOH, for people visibly chasing signatures or > being sloppy when checking the ID or not even looking at me, I > decided I will not sign their keys. Maybe I'm a strange bird here, but I really can't say I agree with the arguments made here against signing keys after verifying government issued passports. I think having verified a government-issued passport (that looks authentic enough) and that the bearer resembles enough the photo on that passport is much better than not having a well connected web of trust. If we want to get into the paranoid realm of some kind of government agents who aren't who they claim to be, I think they will find a way inside such an open project as Debian no matter what the key signing policies of people. The point is, my signature is good for a declaration that I have verified the passport of a person and compared the photo to the face. Whether someone then trusts that signature or not (and to what extent) is of course their decision, but if I only signed keys of people I know since childhood, it would make the web of trust much weaker and trust paths to other people who I don't know very long with lots of signatures from people who I don't know for no real benefit. > Some of those people decided to sign my key although I had no > contact with them before or after the KSP. > > IMO, *that* is plain wrong! It's exactly what I consider good policy, if your ID looks good enough. Sami
Attachment:
signature.asc
Description: Digital signature