[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Debconf-discuss] GPG keysigning?

also sprach Russ Allbery <rra@debian.org> [2009.06.23.0158 +0200]:
> > However, if you want to tie that key owner to a real person, to
> > somehow (my speculation) bring down the wrath on the community
> > on someone who does something nasty or  subverts the DMUP or
> > causes the FSM to weep, well, you need the meet and greet and
> > key signing stuff. Smiting evil dooers seems to be the major
> > cause that justifies this exerciser, since otherwise the person
> > can just dump their key, change their email, and get away scot
> > free. Hard to smite them then.
> 
> I think this is the key point, plus just a general sort of raising
> the effort required for someone to subvert the system as Manoj
> also mentions.

Right, but where's the borderline? Having gone through the process
of getting an ID from the Transnational Republic, I would have no
trouble imagining that somewhere else on this earth there's a lot
less scrutiny involved when a government ID is issued.

While I still maintain that a community-signed GPG key of a meanie
is not going to allow for a better indictment in court, I see the
argument about the proxy. However, given the broad spectrum of
governments and their standards, I think the cut-off point is
convenient, but not really useful.

Obviously we cannot pick an elite group of countries and deny
signing to citizens whose governments don't have the resources for
rigorous processes or fancy documents, or who are simply corrupt, so
we just accept them all, as long as it's a government.

It might be asking a bit much to expect people to know whether
a given country actually exists, too. I remember people asking me
where the Transnational Republic was.

> Meeting in person and exchanging government ID or something that
> looks good enough to fool people is a compromise position, but
> I do think there's a general feeling that it's close to a sweet
> spot in that tradeoff for what we want out of our web of trust.

Alright, I agree that it's not as useless as I sometimes portray it.
But it's still woefully arbitrary.

-- 
 .''`.   martin f. krafft <madduck@debconf.org>
: :'  :  DebConf orga team; press officer
`. `'`
  `-  DebConf9: 24-30 Jul 2009, Extremadura, ES: http://debconf9.debconf.org
 
it is ok to let your mind go blank, but please turn off the sound.
Reply to: