[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Keysigning via Video Conferencing

Quoting Peter Colberg (2016-06-23 20:39:52)
> On Thu, Jun 23, 2016 at 07:30:42PM +0200, Jakub Wilk wrote:
>> As as data point, if everybody[0]'s key signing policy had been that 
>> establishing "social bonds" was a prerequisite, I would have almost 
>> certainly never become a DD.
> I would like to add another data point as a recent DM. The union of 
> the DDs I have worked with and the DDs that were kind enough to meet 
> with me for key signing on their travel through my city is an empty 
> set. I think that Gunnar’s policy is perfectly fine. At the same time 
> I am glad that there are DDs who allow the Debian community to be an 
> open system.
> I am considering to participate in a DebConf eventually (since I have 
> read so many positive posts about the experience), but to me it is 
> important to get work done in Debian first and see whether I am in it 
> for the long run, before spending time and resources on travel to a 
> potentially faraway destination.

I sign keys by a similar policy as Gunnar, it seems.  But I do sign also 
people I have not met before...

The logic I use is that I should be able to re-identify later.  If I 
meet the person later I might have forgotten their name (I easily do) 
but if they remind me and tie it to something we talked about or did 
together, I should go "Ahhh!" rather than "hmmm".

It is a balancing act.  Easiest is to only trust your mother and very 
close friends through many years, but you also want to expand the web of 
trust (and maybe also social circles, but that is a _different_ matter).

I think what can help here is expiry time on signatures: If my gut 
feeling says that the person I've discussed perl with for an hour does 
not really etch into my brain that efficiently, and I worry if we bump 
into each other, say 3 years from now, then I would've forgotten who it 
is.  What I then do is sign but with an expiry of the key of 1-2 years.

Expiry on signatures is relatively new to me, however, so I welcome 
input on how that is sensible or not.  And also on how to eventually 
extend the lifespan.
 - Jonas

 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

Attachment: signature.asc
Description: signature

Reply to: