[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Keysigning in times of COVID-19

Hi Enrico,

thanks for bringing this up.

Quoting Enrico Zini (2020-08-06 17:54:21)
> What do you think could be alternative key signing policies, that would be
> acceptable to you, that would not require traveling and meeting face to face?

I'm currently in the situation of sponsoring a very skilled prospective new DM
with a couple of packages. My mentee is signing all their git commits and git
tags as well as their emails to me with the same GPG key. This has now been
going on for a few months. So I'm in the situation, that I know that somebody
owning a certain private key is either (correct me if I'm wrong):

 - doing a lot of good work
 - being impersonated by an evil third party that always intercepts their
   contributions to Debian (git commits to salsa) as well as their (encrypted!)
   emails to me and replaces the signature with their own

My question to you guys is: how valuable is it, that I (or anybody else) is
meeting the individual owning this key in person and indeed verifies (how
skilled are *you* in spotting a counterfeit ID?) that a nation state thinks
that the person of such name does really exist.

What added value does the connection to a government ID give to Debian?

Why would it be wrong of me to sign the key of this person? No matter who is
behind that key: the person with that key has shown to produce great
contributions for a couple of months *or* there is a really dedicated evil
person trying some scheme over a really long period of time with me. If the
latter is the case, would a person with that much commitment not also be able
to fool me with a fake national ID?

So in my opinion (and please correct my assumptions if they are wrong), an
acceptable key signing policy would also be one, where a prospective DM has
shown over several months to produce work that is always signed with the same
key and maybe even communicated (for example via email, maybe even encrypted)
using that GPG key.


cheers, josch

Attachment: signature.asc
Description: signature

Reply to: