[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Debconf-discuss] GPG keysigning?

also sprach Sami Liedes <sliedes@cc.hut.fi> [2009.06.19.2059 +0200]:
> > Before the KSP, thanks to your old posts I decided I would only sign
> > keys for people that I at least saw (talked to) once before and who
> > appeared to be who they claimed to be in the view of the other
> > people present there. OTOH, for people visibly chasing signatures or
> > being sloppy when checking the ID or not even looking at me, I
> > decided I will not sign their keys.
> Maybe I'm a strange bird here, but I really can't say I agree with the
> arguments made here against signing keys after verifying government
> issued passports. 
> I think having verified a government-issued passport (that looks
> authentic enough) and that the bearer resembles enough the photo
> on that passport is much better than not having a well connected
> web of trust.

Is this for small or large values of "enough"?

Does it matter whether I have a passport that carries my name, or
whether the name on my key, with which I consistently identify
myself in Debian, is actually my own name? Why would anyone care?

In this context, I appreciate Wookey's tale of how simple it is to
have your name officially changed. If you're unwilling to accept my
new name, I'll just have to go through extra troubles to get some
government on this earth to issue a new identity. I doubt that will
be much of a hinderance to anyone who actually pursues malice.

I challenge anyone claiming that you will be able to drag me to
court for malice under my GPG identity in a way that you wouldn't be
able to do based on IP address logs and similar.

> If we want to get into the paranoid realm of some kind of
> government agents who aren't who they claim to be, I think they
> will find a way inside such an open project as Debian no matter
> what the key signing policies of people.

Yes. And that's completely unrelated to why we're signing keys
anyway. The web of trust does not protect us from spies. It makes
sure that all of one's actions can be attributed to that very same
person, such that e.g. an upload or a vote actually stems from the
same person who has previously passed the NM process. That's all.

> The point is, my signature is good for a declaration that I have
> verified the passport of a person and compared the photo to the
> face.

Then this is your very own signing policy and you should publish it
as such. This verification is useless in the context of the Debian

> > Some of those people decided to sign my key although I had no
> > contact with them before or after the KSP.
> > 
> > IMO, *that* is plain wrong!
> It's exactly what I consider good policy, if your ID looks good
> enough.

Reason enough to mark your key as untrustable.

Note that you signed my key (330c4a75) on 16 July 2005 at DebConf5.
I presented my Transational Republic passport there, which some do
not accept as "government-issued". You might want to consider
revoking your signature.

 .''`.   martin f. krafft <madduck@debconf.org>
: :'  :  DebConf orga team; press officer
`. `'`
  `-  DebConf9: 24-30 Jul 2009, Extremadura, ES: http://debconf9.debconf.org
windows v.i.s.t.a.: viruses, infections, spyware, trojans and adware

Attachment: digital_signature_gpg.asc
Description: Digital signature (see http://martin-krafft.net/gpg/)

Reply to: