[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Keysigning via Video Conferencing

Quoting Michael Lustfield (2016-06-23 21:27:15)
> Somewhere, I saw it mentioned that you should be able to verify based 
> on history only and their legal name doesn't matter. I don't entirely 
> disagree. The chances of the NSA building a super computer to 
> contribute to Debian, become a DD, and add backdoors into unwatched 
> packages are pretty low. However, this does create hurdles for someone 
> that has left the project under poor circumstances to build a new 
> identity that they use to harm the project. It's also comforting to 
> imagine every DD/DM is real person, just like the rest of us, and is 
> the person they claim to be.

Beare not to confuse matters:

PGP signing do *not* imply judgement of social intent or coding skills!

PGP signing is *only* about identification.

Only when reliable identification is established can we on top of that - 
but _separately_ from the identification, do e.g. endorsements.

When I sign keys of others, I insist on spending time with them first, 
but only to try memorize them for a later "lineup", not to judge their 
skills or attitude or political agenda.  I would sing the key of a 
complete lunatic, if only I felt confident that I could reasonably 
reliably identify that person again later.

 - Jonas

P.S. Probably not a _complete_ lunatic: If I get the impression that the 
person is incapable of handling PGP signing properly, then I will also 
not sign: If e.g. they handle their secret material too sloppily then 
others might too easily get hold of it and impersonate as them, 
effectively leading me unable to re-identify later (I would fail at 
recognizing the impersonator!).

 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

Attachment: signature.asc
Description: signature

Reply to: