Jason Thomas dijo [Mon, Jun 20, 2016 at 12:31:57PM +1000]:Hi all, I need to get my key signed, is anyone willing to work with me via video conferencing. I have uploaded my key to keyring.debian.org and I have also signed this message. I have a scan of my government issued drivers licence available.<keyring-maint> The medium you use to verify your counterpart's identity when performing a signature is completely up to you; I could be perfectly happy with cross-signing with $person via videoconferencing — But what we push, what we *really* expect each of us to do, is to actually *ensure identity*. For some, ensuring identity is a matter of checking a government-issued ID. In this case, Jason is providing a scan of such an ID. Might I add, in case you take on his request: Are you familiar with his country's drivers licenses? How hard are they to forge? How hard would they be to digitally manipulate without other parties noticing? If that satisfies you, please go ahead and sign. Of course, Jason, same for you — Although it suffices for us to have your key "reachable" from the strong set, we really prefer your key being part of the strong set (that is, other keys being reachable from yours). If somebody signs your key, please try to sign theirs as well (if you are convinced of their identity). Now, I have said this too many times, but once more: As keyring-maint, we are not collecting samples of people showing valid-looking ID documents to others. This is one of the issues why we don't have long-queue key signing parties: Just checking the ID of a complete stranger is not real identity validation. My personal guideline is that I will sign your key if and only if I see your face and can think of your name, and the opposite way around. That is, if I have a decently-lasting memory of you. Being my brain so deffective in that sense, it is quite a high bar to pass. But it's also very flexible as well: I can count several dozens of people in this project who could set up a videoconference with me, read a key fingerprint with no further requisites, and have a successful exchange. Just as an example (as he answered to this mail), were Jonas to ever require a key signature from me, he is free to video-call me, even if he decided to burn all of his government-issued papers, as his face is worth more to me than any document. Of course, that gives me the flexibility to also decide to sign pseudonymous keys — I have several friends who are not OK with divulging their official identity. I often don't know their real names. That won't stop me from signing their keys, if their pseudonym's usage is long-term and consistent. I like my personal policy, but cannot enforce it on anybody. I expect us all DDs to be careful and responsible on what we sign. Define responsible as you prefer. Jason, as Jonas said: Where do you live? We are most interested in you getting your key back online. If you want, contact us directly to keyring-maint@debian.org (or publicly here, if you are OK with it) and we can try to arrange for an in-person meeting between you and somebody else! </keyring-maint>
Attachment:
signature.asc
Description: This is a digitally signed message part