Quoting Gerardo Ballabio (2020-08-07 10:34:20) > Johannes Schauer wrote: > > So in my opinion (and please correct my assumptions if they are wrong), an acceptable key signing policy would also be one, where a prospective DM has shown over several months to produce work that is always signed with the same key and maybe even communicated (for example via email, maybe even encrypted) using that GPG key. > > I agree that it would be ok to sign that key. > > However, suppose that the key gets lost or compromised. > Then the prospective DM creates a new key and asks you to sign it. > How would you verify that the person that shows up with the new key is > the same person that you have been working with? > > I can't think of an answer that doesn't require connecting the person > to a verified personal identity (that may or may not be a > government-certified name). If ok for first round of several months collaboration was conducted without ties to governmental papers, then continuation should as well. If you are not confident that the person is the same from coding style, text-chatting style, mimics in videochat etc., then apply same requirement as you did for first round: Trust only after several months of collaboration tied to the _new_ key. - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private
Attachment:
signature.asc
Description: signature