On Wed, Jun 22, 2016 at 07:58:43AM -0700, Nikolaus Rath wrote: > On Jun 21 2016, Gunnar Wolf <gwolf@debian.org> wrote: > > Now, I have said this too many times, but once more: As keyring-maint, > > we are not collecting samples of people showing valid-looking ID > > documents to others. This is one of the issues why we don't have > > long-queue key signing parties: Just checking the ID of a complete > > stranger is not real identity validation. > > > > My personal guideline is that I will sign your key if and only if I > > see your face and can think of your name, and the opposite way > > around. > > Hmm. Can you explain that in a little more detail? > > As I understand, we'll have to meet a few times for beer until we > remember each others name, and then we sign keys - without ever having > verified if we've actually given our legal name. To some of us, it doesn't matter what your legal name is or if you have papers to show that your government and you agree on what your name is. What matters is that you're you, and that you're the person I know from a reasonable shared history. I tend to prefer to sign keys for people I already know. "This is Richard. I know him for a long time. We've talked about things and done things together. We have a history. I know it's him. Richard is the name he always uses with people. I introduce him to other people as Richard. If he were to show me a passport that says he's actually Albert, I'd be very surprised. I might be alarmed, unless there's a reasonable explanatation." Compare that with this: "This is a person whom I have never met before, and have never heard of before. He has some kind of document that I can't reliably verify, which says his name is Richard. I've heard that forged id documents aren't that hard to get and not too expensive, but I don't know how to recognise forgeries. If I sign his key, he's only a couple of steps away from having root on millions of Debian machines, including mine. Do I trust him? I know that PGP key signing is supposed to be only about identity, but do I really trust the id documents enough to vouch for his identity, when the stakes are high? What if he's actually a secret agent from Malta, and will be infecting Debian with malware to compute the value of pi?" We can't have people computing the value of pi. They might find hidden messages from god-like aliens. As a knight who says NIH, I insist we only accept hidden messages in pi that we put there ourselves. And that we sign the messages with PGP keys in the Debian keyring. I'm not saying that requiring to see someone's government-issued ID to sign their key is actually bad, but it's also not clear to me that it should be a necessary condition for signing their key. Also, legal names are not necessary on keys that get signed. "Legal name" is a big can of really ugly worms that can hurt some people. See real name policies of Facebook and (previously) Google. A name that people know and recognise are relevant. Preferably a name that we can use to locate a pi-computing malware uploader if we need to. PS. *Obviously* a policy to only sign keys for people you already know is a stratagem to get people to talk to me at parties. -- Schrödinger's backup hypothesis: the condition of any backup is undefined until a restore is attempted. -- andrewsh
Attachment:
signature.asc
Description: PGP signature