Re: gpg key validity question
hmh@debian.org said:
>> Should I sign his key ?
>
> No. Request that he adds an UID to his key with his name as it appears on
> his documents (the name that he would have in a international travel pass,
> for example), and sign THAT UID (and any others you have verified to be
> completely true).
I think this needs more consideration. What is being signed into the
trust web is an "identity". That can (and should) be independent of real
name. Why? Because there are people in the world who live in countries
or situations where they cannot safely reveal their real life identity.
If someone's gpg has the name "John Doe", you should indeed verify by
means of state-issued ID that they are indeed John Doe. But that is not
what makes them trustworthy to debian. What is more important is that
the holder of the John Doe key has proven themselves worthy of trust, by
having an established history of doing competent work for debian.
If you think about it, a trustworthy pseudonym with a history of doing
good work (with that work gpg-signed by that pseudonym, of course) is
_harder_ to fake than a "real" state-issued ID. As long as someone has
properly established a trustworthy pseudonym, I can't think of any
reason why they shouldn't be signed into the debian web of trust.
Is there anything wrong with that reasoning?
Jason
--
To UNSUBSCRIBE, email to debian-mentors-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: