Re: [Debconf-discuss] Please don't upload GPG keys to keyserver when signing them

To: Christian Perrier <bubulle@debian.org>
Cc: DebConf discuss <debconf-discuss@lists.debconf.org>
Subject: Re: [Debconf-discuss] Please don't upload GPG keys to keyserver when signing them
From: Gunnar Wolf <gwolf@gwolf.org>
Date: Thu, 6 Aug 2009 23:06:15 -0500
Message-id: <[🔎] 20090807040615.GB15439@cajita.gateway.2wire.net>
In-reply-to: <[🔎] 20090806063413.GR1684@mykerinos.kheops.frmug.org>
References: <[🔎] 20090806063413.GR1684@mykerinos.kheops.frmug.org>

Christian Perrier dijo [Thu, Aug 06, 2009 at 08:34:13AM +0200]:
> Today, when asking the GPG keyservers to send me my own keys, I was
> surprised to received them with up to 30 (THIRTY) new signatures.
> 
> (indeed, I was not surprised to get some...but I was surprised to get
> so many)
> 
> As far as I understand, that means that many people seem to upload
> keys that they've signed directly to the keyserver.
> (...)
> This year, we improved the keysigning process in a nice way, but I
> suggest that next years, the keysigning initial meeting includes a
> demo about how to sign keys properly. I think that at least the
> *technical* way to do things (use caff) is widely accepted enough for
> a demo to be worth it.

Indeed, showing people how things are done is good, but it is even
better to document it (which I think we have collectively done —
still, we have failed to explain it is so). So, we need to get a bit
more awareness regarding not only _how_ to properly do keysigning but
on _what_it_is_about_. Maybe not so much when you think towards the
inside of the project, but towards newcomers and (even more so)
towards potential newcomers. Point in case, I was a couple of months
ago in Nicaragua for a regional FS encounter. We held a KSP, and I
"exchanged" signatures with ~25 people. About a week later, when I was
home already:

• I lectured my KSP crew on the importance of identity verification,
  on what constituted trust, on the importance of the process to me,
  and asked them only to participate if they were actually "into it"
• About 5 of them (only guessing the number) had not yet uploaded
  their keys to the keyservers
• I signed 18 keys using caff; three people later wrote me in private
  to ask WTF to do with the mails I sent them
• I got less than five signatures, and I believe most of the ones I
  sent were not processed

So... Well, what am I proposing? For several years already, Aníbal has
been our kind KSPmaster. First of all, Aníbal: What tools do you use?
What would you say of including paragraphs explaining the above points
(as well as Christian's comments) before the signatures? Of course, I
am willing to provide some writeup.

-- 
Gunnar Wolf • gwolf@gwolf.org • (+52-55)5623-0154 / 1451-2244

Reply to:

References:
- [Debconf-discuss] Please don't upload GPG keys to keyserver when signing them
  - From: Christian Perrier <bubulle@debian.org>

Prev by Date: Re: [Debconf-discuss] Please don't upload GPG keys to keyserver when signing them
Next by Date: Re: [Debconf-discuss] Please don't upload GPG keys to keyserver when signing them
Previous by thread: Re: [Debconf-discuss] Please don't upload GPG keys to keyserver when signing them
Next by thread: [Debconf-discuss] Sending an official complain to RENFE
Index(es):
- Date
- Thread