Ugh. Mailed Jamie directly and didn't see that he CC:ed the list, and lost
the original email due to Mutt misconfig.
On Monday 16 August 2010 19:47:30 Jameson Rollins wrote:
> On Mon, 16 Aug 2010 14:37:37 -0400, Chris Knadle <chris-debian@coredump.us>
wrote:
> > I'd rather not change mailing lists [at least not for the overall
> > discussion] -- while it sounds like it makes sense, I find that in
> > practice changing mailing lists ruins the context. In this case we're
> > discussing what is/was "correct" for a keysigning /for DebConf10/, or
> > "keysinging for Debian", and going to that mailing list will
> > automatically change the context to be "keysinging in general". I
> > will sign up for the gnupg-users list anyway, though, so I'm still
> > glad you pointed it out.
>
> I'm not sure I understand this point. Is there something about Debian
> or DebConf10 that requires an alteration of how keysigning is done?
Up until DebConf10, the way I've seen keysigning done is:
A) People send their GPG fingerprints to an organizer
B) At the event people hand each other a fingerprint and an ID
C) After the event people go home, sign keys, and upload the signed
keys to keyservers... maybe. If they can figure it out on their own.
There's a lot not to like about the above method, first and foremost of which
there usually are little to no instructions given. No instructions about what
should be contained in UIDs, what's considered acceptable ID, no discussion on
PhotoIDs, expiration dates, strength of the key, encryption schemes, etc.
It's usually all left up to chance, and thus I've never seen keysigning done
the same way twice.
The keysignging at DebConf10 was totally different [and much better] to
anything I've seen done previously. The 'caff' utility from the signing-party
package is a good tool and I like what it does. However it makes the
assumption that it can mail /locally/ and have it get to the internet. The
Mail::Mailer Perl library doesn't do much of anything in terms of human-
readable error reporting, and even with configuration it doesn't support SMTP
over TLS, which is something I needed.
Does this answer your question?
> While I think that context is important in keysigning (different
> requirements and behavior depending on level of familiarity with signee,
> for instance), I don't think one should approach keysigning differently
> just because it's in the context of Debian of DebConf10.
This list has got a small set of people, many of whom are both experienced and
were involved in the keysigning. Moving over to /another/ list:
(a) increases the chance of bikeshedding
(b) has a good chance of people on this list not signging up for
the other list, thus loosing the majority of the intended audience.
-- Chris