Re: [Debconf-discuss] using OpenPGP notations to indicate keysigning practices [was: Re: GPG keysigning?]
In article <[🔎] 20090624003554.GF9574@kunpuu.plessy.org> you wrote:
> that would be very welcome. This whole discussion confuses me and I do not
> understand if Debian as a project accepts signatures that are not based on a
> passport or an ID card. For instance, I have used drivers licenses or social
> security cards as well, is that acceptable ?
Debian has no way (yet) to tell them apart. In the past debian just relied
on some trust, just to make sure that a submitted key was not intercepted.
Additional requirements (up to avoiding deniability) have been added later
on (and I think never made official policy?). There are existing key
signatures older than any official debian satement between developer keys
so, all of them would have to be redone to be fully trusted (and annotated).
Anyway, I would suggest not to get into the Business of setting up a PKI
Hierachy and having a RA who can gurantee gov. idendity world wide.
But if you still want to, you can find some information on ID checking and
policy in the CAcert assurer handbook. CAcert is currently improving all
kinds of details in this area (in order to get Audited for Inclusion in
Mozilla Truststores)
http://wiki.cacert.org/wiki/AssuranceHandbook2
http://wiki.cacert.org/wiki/AcceptableDocuments
Note that Assurance for CAcert does not validate the email, since this is
not always practicable in face to face meetings (and has all kinds of
problems like company accounts which get revoked). The CAcert account can
be linked to a email address (and currently they are not rechecked). CAcert
can sign PGP keys for assured members.
Greetings
Bernd
Reply to: