On 06/23/2009 02:52 PM, martin f krafft wrote: > Additional metadata, e.g. number and expiration date would > be helpful. This would certainly be useful from the smiting perspective, but might raise privacy concerns if people don't want their passport number (or whatever) bound to their OpenPGP keys, or even distributed within the debian project. > On the other hand, just some clear guidelines that participants HAVE > TO abide by, would help, e.g. a commitment to a signing policy for > all keys that are to appear in a Debian keyring. I think that misses a critical point; i want to use my OpenPGP key for a variety of purposes both in and out of debian. I consider it a baseline tool for managing my digital identity. While i'm happy to obey debian-specific guidelines for debian-specific purposes, i have no intention of obeying debian-specific guidelines for projects outside of debian, except perhaps by coincidence. I'm *not* saying that i will sign keys blindly or anything, but there are scenarios and groups i interact with where it is meaningful and/or useful to sign a role key, a machine key, or a pseudonymous key, for example. If debian makes up some debian-specific guidelines that say "you must not sign pseudonymous keys", i cannot follow those instructions without changing my key (or having a debian-specific key unrelated to my non-debian identity, which seems to defeat the whole point of the binding). On the other hand, if debian says "we're only going to accept certifications with certain well-defined values for the following attributes for certain purposes within the project", then i can continue to use my key, and make sure that i follow appropriate guidelines for certifications that *are* critical to debian. > I will always challenge the "government-issued ID" due to the vastly > differing standards across the globe, but "travel document" is > actually a term that someone uttered earlier, which raises the bar > a lot higher. Agreed, though it would be no fun for a DD (or potential DD) who can't convince her own government to issue her a travel document. do we want to exclude those people from debian? --dkg
Attachment:
signature.asc
Description: OpenPGP digital signature