On Tue, Jun 23, 2009 at 10:43:53AM -0700, Don Armstrong wrote: > Perhaps it would be good enough to have the public checksum-checking > part of the keysigning party very early on in Debconf, and then do the > signing later on during meals, where there would be an opportunity for > more informal interaction to establish identity, etc. beyond the 20 > seconds or so that you have during a mass keysigning. That's a compromise of some kind. I don't think it's necessary the best possible compromise, though. There seem to be two conflicting needs here, which both seem to me to have some importance: a) That the ID check needs to be more than casual, and the nature of a mass key signing party often results in lax checks; b) That a strong WOT is a strongly connected WOT, with lots of (proper) signatures. Judging some of the POVs presented on this list, I probably give quite a bit more weight to (b) than some others here, but in no way think that proper ID checks should not be done (a signature in itself is not valuable if it doesn't certify anything). It's all about the balance really, but personally I do think having a sparse WOT is a bigger problem than lax ID checks in reality among the kind of technologically knowledgeable people like those attending Debconf (or even those using PGP). Really, which one is more assuring, a) that I personally know a person A whom I trust and who has verified the government-issued ID of a person X, whose signature I need to be able to trust; or b) that I personally know a person A, whom I trust, and trust that he knows well some person B, whom I do not know, and there's some kind of assumed knows-well chain A->B->C->D->E->X where I really have no good idea who B..E are? Some POVs expressed here seem to me to ignore the problems of (b) completely. Even given the trust model which seems to be encouraged by the current GPG implementation, the E's signature on X's key would not be assigned any value unless I trust E and consider his key valid. And there's bound to be a long degree of separation between two random people if the relation is "knows well" instead of "has checked ID". But if I know and trust A, I can presume that X is X with a good certainty given A's signature on X's key. That's why a strong WOT is important, and that's just plain incompatible with "signing keys of people you don't know is just wrong!". (On a side note, I consider "knows well but hasn't checked the ID" in many respects a weaker, not a stronger, check than "has checked the ID".) > It may also be useful to put on people's nametags some sort of > indication that they plan to participate in the keysigning so people > know whether to ask about it during meals. [It'd probably also help to > distribute people more randomly during meals.] I'd still prefer some kind of more organized thing to exchange IDs and signatures, precisely because a strongly connected WOT is so important. I don't say it needs to be a tiresome 3 hour session in a parking lot. What then, I don't know, but I think the best thing for the WOT still is to get as many people as possible to verify each other's IDs and sign each other's keys. Perhaps something like many short, only semi-official sessions in different days? Sami
Attachment:
signature.asc
Description: Digital signature