[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Keysigning in times of COVID-19


we have people approaching Debian with a lack of GPG signatures, and we
generally cannot ask them to travel and meet other developers in person
to get their key signed.

Technically, we are not requiring that people meet a DD in person, only
that people have their key signed by a DD.

Technically, every DD has their own policies for signing keys, which
could go from not requiring meeting in person at all, to requiring to
meet in person multiple times. It might require to check a government
issued photo ID, or it might not.

Practically, I feel like most of the time people's policies match what
are the perceived expectations of the rest of the project. Meeting in
person has always been a good safe bet, if only for the reson that it's
been accepted without question for many years.

It's time to review those expectations.

For example, speaking of myself only, if my goal is to raise the cost of
impersonation or sock puppet identities, then probably signing someone's
key after having worked with them online for a significant time, would
require a much higher cost than showing up at a keysigning party with a
fake ID good enough to fool me.

Others may have other policies, and are likely to be acceptable.

As DAM, I would have a problem if someone automatically signed the keys
of every stanger who asked them nicely in an email. At the same time, I
am open to the idea of policies that do not require meeting people in

I think the world has changed enough in the last months that currently
perceived project expectations about key signing are getting out of
alignment with practical realities, and it might be time to explore
other options.

I do not intend to ask people to break their sensible signing policies
so that people can get into Debian. I'm interested instead in exploring
what signing policies people may have, or may be considering, that have
been staying out of our narrative because we've always been having a
specific standard one that worked.

What do you think could be alternative key signing policies, that would
be acceptable to you, that would not require traveling and meeting face
to face?


GPG key: 4096R/634F4BD1E7AD5568 2009-05-08 Enrico Zini <enrico@enricozini.org>

Attachment: signature.asc
Description: PGP signature

Reply to: