I think you miss an important item: people with the same name. In my
small town, I know a lot of people with same name (first and surname).
In linux community we have three different Alax Cox.
Right. But you never sign just a name; you sign an gpg user id,
which is associated with an email, or a picture, and you check the
person owns the email, right? Right?
Me, I usually don't sign a key unless I can ensure that the
owner of the email address knows a shared secret we shared at the
keysigning. Admittedly, this is a minor attack vector: if Eve knows
Alice's secret key and passphrase, has control of one of the email
addresses, and Alice does not, then Eve will not get the new signature,
since she does not know the secret I shared with Alice. This is
probably not a vector worth thinking about, I might just start using
caff instead.
PGP identity uses normally a email like identity (name and email
address), so your point A reduce the set of possible person that can
misuses identity check, but ... on security terminology this is called
false security which is normally worse than no-security (people will
trust wrong thing).
I fail to see this. When we sign keys, the accepted minimal
convention is to use caff, which ensures the signature is propagated
only if the person whose identity you verified (by whatever criteria you
select) owns the id; or whose real life face matches their picture
ID.
Web of trust is evil! I think debian should reframe the problem and
use GPG only for limited scopes (upload and sign), identified by key
ID. Debian could build an intern web of trust (checking mail and
identity, with own extra rules).
My goodness. These are extra rules now?
This is dismaying, and engenders misgivings about the value of
your signatures.