Re: Keysigning via Video Conferencing

To: debian-devel@lists.debian.org
Subject: Re: Keysigning via Video Conferencing
From: Nikolaus Rath <Nikolaus@rath.org>
Date: Wed, 22 Jun 2016 12:01:09 -0700
Message-id: <[🔎] 87bn2tgia2.fsf@thinkpad.rath.org>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 20160622163228.GB2697@exolobe3> (Lars Wirzenius's message of "Wed, 22 Jun 2016 19:32:28 +0300")
References: <[🔎] 1466389917.10585.34.camel@debian.org> <[🔎] 20160622035733.GH83270@gwolf.org> <[🔎] 878txxs21o.fsf@vostro.rath.org> <[🔎] 20160622163228.GB2697@exolobe3>

On Jun 22 2016, Lars Wirzenius <liw@liw.fi> wrote:
> On Wed, Jun 22, 2016 at 07:58:43AM -0700, Nikolaus Rath wrote:
>> On Jun 21 2016, Gunnar Wolf <gwolf@debian.org> wrote:
>> > Now, I have said this too many times, but once more: As keyring-maint,
>> > we are not collecting samples of people showing valid-looking ID
>> > documents to others. This is one of the issues why we don't have
>> > long-queue key signing parties: Just checking the ID of a complete
>> > stranger is not real identity validation.
>> >
>> > My personal guideline is that I will sign your key if and only if I
>> > see your face and can think of your name, and the opposite way
>> > around.
>> 
>> Hmm. Can you explain that in a little more detail?
>> 
>> As I understand, we'll have to meet a few times for beer until we
>> remember each others name, and then we sign keys - without ever having
>> verified if we've actually given our legal name.
>
> To some of us, it doesn't matter what your legal name is or if you
> have papers to show that your government and you agree on what your
> name is. What matters is that you're you, and that you're the person I
> know from a reasonable shared history.
>
> I tend to prefer to sign keys for people I already know. "This is
> Richard. I know him for a long time. We've talked about things and
> done things together. We have a history. I know it's him. Richard is
> the name he always uses with people. I introduce him to other people
> as Richard. If he were to show me a passport that says he's actually
> Albert, I'd be very surprised. I might be alarmed, unless there's a
> reasonable explanatation."
[...]

That's all good and well, but what I'm wondering what this signing
policy is intended to protect against - and by extension, if it's
actually worth it. If everyone were to follow this procedure then the
bar to becoming a Debian developer would be raised
significantly. Establishing a history of in-person meetings requires a)
the other person to be reasonably close, b) the other person to be at
least somewhat on the same wavelength, c) the other person to be a
Debian developer.


Best,
-Nikolaus

-- 
GPG encrypted emails preferred. Key id: 0xD113FCAC3C4E599F
Fingerprint: ED31 791B 2C5C 1613 AF38 8B8A D113 FCAC 3C4E 599F

             »Time flies like an arrow, fruit flies like a Banana.«

Attachment: signature.asc
Description: PGP signature

Reply to:

References:
- Keysigning via Video Conferencing
  - From: Jason Thomas <jason@debian.org>
- Re: Keysigning via Video Conferencing
  - From: Gunnar Wolf <gwolf@debian.org>
- Re: Keysigning via Video Conferencing
  - From: Nikolaus Rath <Nikolaus@rath.org>
- Re: Keysigning via Video Conferencing
  - From: Lars Wirzenius <liw@liw.fi>

Prev by Date: Re: Keysigning via Video Conferencing
Next by Date: Bug#827932: ITP: porg -- a source code package organizer
Previous by thread: Re: Keysigning via Video Conferencing
Next by thread: Re: Keysigning via Video Conferencing
Index(es):
- Date
- Thread