Re: gpg key validity question

To: Jason Lunz <lunz-mlist@falooley.org>
Cc: debian-mentors@lists.debian.org
Subject: Re: gpg key validity question
From: Papa Smurf <cmiller@surfsouth.com>
Date: Thu, 25 Apr 2002 18:24:32 -0400
Message-id: <[🔎] 20020425222432.GA972@surfsouth.com>
In-reply-to: <[🔎] E170qwq-0006pX-00@orr.homenet>
References: <[🔎] 20020425140420.GI15122@localhost> <[🔎] 20020425140420.GI15122@localhost> <[🔎] 20020425140822.B8765@khazad-dum> <[🔎] E170qwq-0006pX-00@orr.homenet>

On Thu, Apr 25, 2002 at 05:38:40PM -0400, Jason Lunz wrote:
> I think this needs more consideration. What is being signed into the
> trust web is an "identity". That can (and should) be independent of real
> name. Why? Because there are people in the world who live in countries
> or situations where they cannot safely reveal their real life identity.

That's absurd.  Two reasons:

Debian is an open organization.  We rely on the credibility and publicity
of our developers as insurance that we're not likely to hax0r our "cus-
tomers'" boxes.  Our willingness to be open about everything is what makes
us credible.  We don't hide problems.  If working on Debian personally
conflicts with Debian's Social Contract, you shouldn't work on Debian.

If one's safety is threatened by working on Debian, then you certainly
don't want to be found to own the secret key that _provably_ signed some
threatening work.  

> If someone's gpg has the name "John Doe", you should indeed verify by
> means of state-issued ID that they are indeed John Doe. But that is not
> what makes them trustworthy to debian. What is more important is that
> the holder of the John Doe key has proven themselves worthy of trust, by
> having an established history of doing competent work for debian.

Technical competency is another step to NM, _after_ proving identity.
That doesn't mean we should abolish the identification step, though.

> If you think about it, a trustworthy pseudonym with a history of doing
> good work (with that work gpg-signed by that pseudonym, of course) is
> _harder_ to fake than a "real" state-issued ID.  As long as someone has
> properly established a trustworthy pseudonym, I can't think of any
> reason why they shouldn't be signed into the debian web of trust.

Pseudonyms are completely arbitrary.  Some good identification isn't
completely arbitrary.  Being "Chad L. Miller" is much better than being
Papa Smurf, Zero-Cool, or Deep Throat.  Imagine "Hog Farmer 1" as a
signature on the US' Declaration of Independence.

Suppose "Zero-Cool" does something really bad and we expel her from the
project.  What's to stop her from using another pseudonym and email address
to reapply to NM?  

Real names and IDs aren't totally trustworthy, but pseudonyms are worth
exactly shit.

						- chad

-- 
To UNSUBSCRIBE, email to debian-mentors-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

References:
- gpg key validity question
  - From: christophe barbé <christophe.barbe.ml@online.fr>
- Re: gpg key validity question
  - From: Henrique de Moraes Holschuh <hmh@debian.org>
- Re: gpg key validity question
  - From: Jason Lunz <lunz-mlist@falooley.org>

Prev by Date: Re: gpg key validity question
Next by Date: Re: gpg key validity question
Previous by thread: Re: gpg key validity question
Next by thread: Re: gpg key validity question
Index(es):
- Date
- Thread