[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Debconf-discuss] GPG keysigning?

On Tue, Jun 23, 2009 at 10:43:53AM -0700, Don Armstrong wrote:
> Perhaps it would be good enough to have the public checksum-checking
> part of the keysigning party very early on in Debconf, and then do the
> signing later on during meals, where there would be an opportunity for
> more informal interaction to establish identity, etc. beyond the 20
> seconds or so that you have during a mass keysigning.

That's a compromise of some kind. I don't think it's necessary the
best possible compromise, though. There seem to be two conflicting
needs here, which both seem to me to have some importance:

a) That the ID check needs to be more than casual, and the nature of a
mass key signing party often results in lax checks;

b) That a strong WOT is a strongly connected WOT, with lots of
(proper) signatures.

Judging some of the POVs presented on this list, I probably give quite
a bit more weight to (b) than some others here, but in no way think
that proper ID checks should not be done (a signature in itself is not
valuable if it doesn't certify anything).

It's all about the balance really, but personally I do think having a
sparse WOT is a bigger problem than lax ID checks in reality among the
kind of technologically knowledgeable people like those attending
Debconf (or even those using PGP).

Really, which one is more assuring,

a) that I personally know a person A whom I trust and who has verified
the government-issued ID of a person X, whose signature I need to be
able to trust; or

b) that I personally know a person A, whom I trust, and trust that he
knows well some person B, whom I do not know, and there's some kind of
assumed knows-well chain A->B->C->D->E->X where I really have no good
idea who B..E are?

Some POVs expressed here seem to me to ignore the problems of (b)

Even given the trust model which seems to be encouraged by the current
GPG implementation, the E's signature on X's key would not be assigned
any value unless I trust E and consider his key valid. And there's
bound to be a long degree of separation between two random people if
the relation is "knows well" instead of "has checked ID".

But if I know and trust A, I can presume that X is X with a good
certainty given A's signature on X's key.

That's why a strong WOT is important, and that's just plain
incompatible with "signing keys of people you don't know is just

(On a side note, I consider "knows well but hasn't checked the ID" in
many respects a weaker, not a stronger, check than "has checked the

> It may also be useful to put on people's nametags some sort of
> indication that they plan to participate in the keysigning so people
> know whether to ask about it during meals. [It'd probably also help to
> distribute people more randomly during meals.]

I'd still prefer some kind of more organized thing to exchange IDs and
signatures, precisely because a strongly connected WOT is so
important. I don't say it needs to be a tiresome 3 hour session in a
parking lot. What then, I don't know, but I think the best thing for
the WOT still is to get as many people as possible to verify each
other's IDs and sign each other's keys. Perhaps something like many
short, only semi-official sessions in different days?


Attachment: signature.asc
Description: Digital signature

Reply to: