[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Debconf-discuss] GPG keysigning?

Manoj Srivastava <srivasta@acm.org> writes:

>         However, if you want to tie that key owner to a real person, to
>  somehow (my speculation) bring down the wrath on the community on
>  someone who does something nasty or  subverts the DMUP or causes the FSM
>  to weep, well, you need the meet and greet and key signing
>  stuff. Smiting evil dooers seems to be the major cause that justifies
>  this exerciser, since otherwise the person can just dump their key,
>  change their email, and get away scot free. Hard to smite them then.

I think this is the key point, plus just a general sort of raising the
effort required for someone to subvert the system as Manoj also
mentions.

>         So while signing keys is not about governments, as Russ said, it
>  is about establishing identity, and government issued identity
>  documents are better proxies for establishing that than I can be
>  bothered to do myself.

Particularly given that if one does need to smite, the process of
smiting is likely to be done via a goverment, presumably the one that
issued the identity papers in the first place.  So there is a reasonable
connection.

Security is always a tradeoff -- it's just about where you want to put
the tradeoff between verification work and convenience.  There are a lot
of things that we could do that other organizations do, like hire
private investigators to do background checks (which seems to be coming
routine for employment in the US, at least in a cursory way).  Or we
could sign keys based on e-mail interactions.

Meeting in person and exchanging government ID or something that looks
good enough to fool people is a compromise position, but I do think
there's a general feeling that it's close to a sweet spot in that
tradeoff for what we want out of our web of trust.

Going back to the previous discussion in debian-devel about signing a
key for which the only IDs are pseudonyms, I personally would do that,
but only if I knew the person personally and knew they were the person
who used that pseudonym.  Which means that in the event of smiting being
necessary, I would personally be able to trace that key to a person.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>
Reply to: