On Jun 22 2016, Lars Wirzenius <liw@liw.fi> wrote: > On Wed, Jun 22, 2016 at 07:58:43AM -0700, Nikolaus Rath wrote: >> On Jun 21 2016, Gunnar Wolf <gwolf@debian.org> wrote: >> > Now, I have said this too many times, but once more: As keyring-maint, >> > we are not collecting samples of people showing valid-looking ID >> > documents to others. This is one of the issues why we don't have >> > long-queue key signing parties: Just checking the ID of a complete >> > stranger is not real identity validation. >> > >> > My personal guideline is that I will sign your key if and only if I >> > see your face and can think of your name, and the opposite way >> > around. >> >> Hmm. Can you explain that in a little more detail? >> >> As I understand, we'll have to meet a few times for beer until we >> remember each others name, and then we sign keys - without ever having >> verified if we've actually given our legal name. > > To some of us, it doesn't matter what your legal name is or if you > have papers to show that your government and you agree on what your > name is. What matters is that you're you, and that you're the person I > know from a reasonable shared history. > > I tend to prefer to sign keys for people I already know. "This is > Richard. I know him for a long time. We've talked about things and > done things together. We have a history. I know it's him. Richard is > the name he always uses with people. I introduce him to other people > as Richard. If he were to show me a passport that says he's actually > Albert, I'd be very surprised. I might be alarmed, unless there's a > reasonable explanatation." [...] That's all good and well, but what I'm wondering what this signing policy is intended to protect against - and by extension, if it's actually worth it. If everyone were to follow this procedure then the bar to becoming a Debian developer would be raised significantly. Establishing a history of in-person meetings requires a) the other person to be reasonably close, b) the other person to be at least somewhat on the same wavelength, c) the other person to be a Debian developer. Best, -Nikolaus -- GPG encrypted emails preferred. Key id: 0xD113FCAC3C4E599F Fingerprint: ED31 791B 2C5C 1613 AF38 8B8A D113 FCAC 3C4E 599F »Time flies like an arrow, fruit flies like a Banana.«
Attachment:
signature.asc
Description: PGP signature