Re: Why are in-person meetings required for the debian keyring?
On 2015-02-11 21:45, Paul Tagliamonte wrote:
> I agree with Philip (as usual), but it's also the standard that we hold
> ourselves to when signing someones OpenPGP key -- I can't assert
> someone's identity matches without meeting them.
I think this is spot on. This identity match ties a unique key to a
certain individual, a person that you have met in the flesh. And adding
to the identity verification, there's also a form of accountability in
there, because if that person were to do something malicious within the
project, consequences could be imposed.
Having said that, "identity verification" does not necessarily mean
checking a government ID to me. You can claim to be Santa Claus for all
I care, but if I see you hold a talk in front of 100 people at DebConf
as "Santa Claus", with people I know and trust referring to you as
"Santa Claus", and other members which I know and trust confirming that
you have been visiting DebConf and other FOSS events as "Santa Claus"
for over a decade, I'll happily sign your key with a "Santa Claus" uid,
as I will believe that is your identity.
On 2015-02-11 20:17, Nikolaus Rath wrote:
> In other words: just because I'm sure about someone's
> legal name, I wouldn't trust him to run code on my computer. But if
> someone has been contributing to Debian for 5 years with a specific GPG
> key, I'd probably trust him to prepare a package no matter if the name
> associated with the GPG key actually corresponds to some legal identity
> or not.
I highly disagree. "Contributing to Debian for 5 years" alone is well
within the means and patience of various organizations with potentially
malicious intentions.
Reply to: