Re: [Debconf-discuss] GPG keysigning?
Manoj Srivastava <srivasta@debian.org> writes:
> On Mon, Jun 22 2009, Russ Allbery wrote:
>> Going back to the previous discussion in debian-devel about signing a
>> key for which the only IDs are pseudonyms, I personally would do
>> that, but only if I knew the person personally and knew they were the
>> person who used that pseudonym. Which means that in the event of
>> smiting being necessary, I would personally be able to trace that key
>> to a person.
> The key signing then works for you to keep a marker that you
> know the person behind the key, but it does not help the Debian project
> at large, since you know where to deliver the smite, the current or
> future officers of the project may not (especially if you have lost
> interest and moved on to better things, as happen to people).
For me, there are different levels of reproducibility required in
signing a PGP key and in welcoming that person as a Debian Developer.
I'm comfortable signing a key for a pseudonym under some circumstances,
but I would be a lot more leery of accepting a Debian Developer only
known to the project under a pseudonym, even if I knew who the person
was personally. I could see it, but the circumstances would have to be
fairly exceptional.
> The thing is, your identification scheme fails the
> reproducibility test; there is no way that the person with the pseudo
> (i.e. lie [0]) name can't reproduce the identification challenge
> with, say, me, or any wider test authority that does not belong to
> the small subset of the people who know the person behind the key
> well enough to make the smiting a viable deterrent,
Right, this is something that I don't think is necessary for signing a
key but which I would be more concerned with in adding someone as a
Debian Developer.
I sign role keys as well, which to me is a similar situation, but I
wouldn't want someone to be able to upload to the repository using a
role key.
> The set of people familiar with the travel documents is likely
> to be larger, and there are back channels to the authoritative
> distributors which can be used to deliver the smite to, independent of
> personal shared history with the aforementioned individual.
For many Debian developers, I have no idea what country they're even
from, and some names are quite common and not particularly useful as
unique identifiers. I'm unlikely to remember the details of the
government-issued ID that I saw when signing their key.
I'm much more likely to be able to track down someone who would meet my
standard for signing a key under a pseudonym than someone who I met at a
key-signing party and checked via government ID.
It is, however, a lot harder to write simple and straightforward rules
around how one would do that sort of verification than it is to write
the rules for a key-signing party using government ID.
--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
Reply to: