[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Debconf-discuss] GPG keysigning?

Manoj Srivastava <srivasta@debian.org> writes:
> On Mon, Jun 22 2009, Russ Allbery wrote:

>> Going back to the previous discussion in debian-devel about signing a
>> key for which the only IDs are pseudonyms, I personally would do
>> that, but only if I knew the person personally and knew they were the
>> person who used that pseudonym.  Which means that in the event of
>> smiting being necessary, I would personally be able to trace that key
>> to a person.

>         The key signing then works for you to keep a marker that you
>  know the person behind the key, but it does not help the Debian project
>  at large, since you know where to deliver the smite, the current or
>  future officers of the project may not (especially if you have lost
>  interest and moved on to better things, as happen to people).

For me, there are different levels of reproducibility required in
signing a PGP key and in welcoming that person as a Debian Developer.
I'm comfortable signing a key for a pseudonym under some circumstances,
but I would be a lot more leery of accepting a Debian Developer only
known to the project under a pseudonym, even if I knew who the person
was personally.  I could see it, but the circumstances would have to be
fairly exceptional.

>         The thing is, your identification scheme fails the
>  reproducibility test; there is no way that the person with the pseudo
>  (i.e. lie [0]) name can't reproduce the identification challenge
>  with, say, me, or any wider test authority that does not belong to
>  the small subset of the people who know the person behind the key
>  well enough to make the smiting a viable deterrent,

Right, this is something that I don't think is necessary for signing a
key but which I would be more concerned with in adding someone as a
Debian Developer.

I sign role keys as well, which to me is a similar situation, but I
wouldn't want someone to be able to upload to the repository using a
role key.

>         The set of people familiar with the travel documents is likely
>  to be larger, and there are back channels to the authoritative
>  distributors which can be used to deliver the smite to, independent of
>  personal shared history with the aforementioned individual.

For many Debian developers, I have no idea what country they're even
from, and some names are quite common and not particularly useful as
unique identifiers.  I'm unlikely to remember the details of the
government-issued ID that I saw when signing their key.

I'm much more likely to be able to track down someone who would meet my
standard for signing a key under a pseudonym than someone who I met at a
key-signing party and checked via government ID.

It is, however, a lot harder to write simple and straightforward rules
around how one would do that sort of verification than it is to write
the rules for a key-signing party using government ID.

Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to: