shirish शिरीष dijo [Mon, Jun 13, 2016 at 05:51:59PM +0000]: > Hi all, > > I have a query - > > While I understand the web of trust which is one of the major parts of > keysigning and the process is detailed at > https://www.debian.org/events/keysigning . Where it fails me is that > WoT has little or no value to a person who doesn't want or have any > uploading rights to the debian archive. > > The only argument given for WoT for non-technical peopel is the case > where you need to prove your electronic identity to another entity > who's also unknown but you need to prove your identity as Jacob > Appelbaum is shown doing in citizenfour but such instances are pretty > rare. > > Is there any other compelling reason for non-technical, contributors > having no upload rights to use WoT , apart from being part of an > awesome developer's key ? One reason is to make the WoT a more widely known and used issue. I know (too!) many security-conscious people who have a GPG key and insist on the value of encrypting mail, but who are oblivious to the fact that as long as their identity is not verifiable, their encrypted mails are perfectly subject to Man-in-the-Middle attacks. PGP-like systems without a WoT is a nice idea, but a far shot from the whole shebang. Second, if you attend DebConf and are not a DD/DM, you might very probably be interested in eventually becoming one. If six months from now you decide to start the process, but don't have a signed key, you will have a setback to begin your process. And, speaking as somebody living >1000Km from the closest DD¹, that is not always easy to arrange. ¹ Well, there is one temporaily living in Mexico City, but I've been a lonely DD for a long time... (of course, as a far-away DD, and as one of the keyring-maint team members, I'm more sensibilized to these issues than many others)
Attachment:
signature.asc
Description: Digital signature