On Mon, Jul 25, 2016 at 11:46:45AM -0500, Gunnar Wolf wrote: > [...] Signing an identity must > mean that you verified the identity in a nontrivial way. Signing > somebody you have not directly interacted with at all is wrong in my > eyes. I agree. > But, again, find two DDs with active keys in the keyring with personal > policies different than mine, and I will accept it. Hell, I won't even > be able to know about it :) while I appreciate that you accept keys signed with other policies than yours, I don't think keyring maintainers should be willing to accept *all* signatures done by DDs. (And I do see the problem that you cannot know everything…) But still, if you *hear* some signatures have been done under fishy circumstances, I *do* think you should object. Else I^wsomeones may be tempted to try to game the system… IOW: please don't state you'd be willing to accept *any* signatures done by two DDs… maybe just adding a single word and saying "you'd *almost* be willing…" is enough to make the difference I think is important here. I fully understand your POV but if I were to take a similar stance, namely "I will sign any key presented under any ID to me, because I have no means whatsoever to properly verify IDs anyway" and if there then were several DDs with that policy… I dont think that would be good. And it would be worse if our keyring maintainers were to accept those IDs into Debian. -- cheers, Holger, with no clear signing policy… (I mostly only sign keys from people I know offline+online, but I do make frequent exceptions from that… and what means knowing a person anyway…)
Attachment:
signature.asc
Description: Digital signature