[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Keysigning via Video Conferencing

Jason Thomas dijo [Mon, Jun 20, 2016 at 12:31:57PM +1000]:
> Hi all,
> I need to get my key signed, is anyone willing to work with me via
> video conferencing.
> I have uploaded my key to keyring.debian.org and I have also signed
> this message.
> I have a scan of my government issued drivers licence available.


The medium you use to verify your counterpart's identity when
performing a signature is completely up to you; I could be perfectly
happy with cross-signing with $person via videoconferencing — But what
we push, what we *really* expect each of us to do, is to actually
*ensure identity*.

For some, ensuring identity is a matter of checking a
government-issued ID. In this case, Jason is providing a scan of such
an ID. Might I add, in case you take on his request: Are you familiar
with his country's drivers licenses? How hard are they to forge? How
hard would they be to digitally manipulate without other parties
noticing? If that satisfies you, please go ahead and sign. Of course,
Jason, same for you — Although it suffices for us to have your key
"reachable" from the strong set, we really prefer your key being part
of the strong set (that is, other keys being reachable from yours). If
somebody signs your key, please try to sign theirs as well (if you are
convinced of their identity).

Now, I have said this too many times, but once more: As keyring-maint,
we are not collecting samples of people showing valid-looking ID
documents to others. This is one of the issues why we don't have
long-queue key signing parties: Just checking the ID of a complete
stranger is not real identity validation.

My personal guideline is that I will sign your key if and only if I
see your face and can think of your name, and the opposite way
around. That is, if I have a decently-lasting memory of you. Being my
brain so deffective in that sense, it is quite a high bar to pass. But
it's also very flexible as well: I can count several dozens of people
in this project who could set up a videoconference with me, read a key
fingerprint with no further requisites, and have a successful

Just as an example (as he answered to this mail), were Jonas to ever
require a key signature from me, he is free to video-call me, even if
he decided to burn all of his government-issued papers, as his face is
worth more to me than any document. Of course, that gives me the
flexibility to also decide to sign pseudonymous keys — I have several
friends who are not OK with divulging their official identity. I often
don't know their real names. That won't stop me from signing their
keys, if their pseudonym's usage is long-term and consistent.

I like my personal policy, but cannot enforce it on anybody. I expect
us all DDs to be careful and responsible on what we sign. Define
responsible as you prefer.

Jason, as Jonas said: Where do you live? We are most interested in you
getting your key back online. If you want, contact us directly to
keyring-maint@debian.org (or publicly here, if you are OK with it) and
we can try to arrange for an in-person meeting between you and
somebody else!


Attachment: signature.asc
Description: Digital signature

Reply to: