Le jeudi, 6 août 2020, 17.54:21 h CEST Enrico Zini a écrit :
> What do you think could be alternative key signing policies, that would
> be acceptable to you, that would not require traveling and meeting face
> to face?
Several others have eloquently described key signing policies close to mine,
but I'll phrase mine here nevertheless.
Since the rumbles of "someone showed up with either a fake passport, or a
passport from a not-universally-recognised coutry at a keysigning party", I
became quite dubious about key signing parties: I am not trained, skilled or
equipped to validate identity papers from any country, and would probably be
fooled by a reasonable copy of a swiss identity card. It's of much more value
to me to get random non-official papers (a driving license, a business card, a
library member card, etc) that are coherent between themselves: that at least
shows an "identity continuity", that I would expect to be also coherent with
the identity on the key.
The line I try to stick with is "crowd knowledge": is this person I'm about to
sign the key of "known" as the name they claim to carry? Does their key "name"
correspond to one or some of the names they go by? In recent times (during
which physical encounters were still a possibility), I have actually asked
someone else around "can you tell me the name of this person I'm about to sign
the key of?" I have also often had a very small chit-chat: "what do you do in
Debian / free software?", "what brought you here?". It's not an interview per
se, but answers still matter.
Pseudonyms are totally OK for me, as long as the pseudos are in use: person A
has an "official" "John Doe" identity, but they usually go as "Eric"; sign
their emails with Eric, and get called by (free software) friends "Eric". In
absence of any identity paper, provided they answer as "Eric", are known as
"Eric", I would clearly sign their key even without any trace of John Doe
anywhere. I don't need to know their "official" name is "John Doe", actually.
My own key is a good case for thought: my "Oriole" identity (and email) got
signed a lot by DDs (but not always) despite me not mentionning this pseudonym
of mine much, or at all: I am not known, nor would be called "Oriole" in
Debian (but would likely respond to that name), but it's still an identity I
carry in some circles.
Thanks for sparkling that conversation Enrico, it's very interesting!
Cheers,
OdyX, or is it Didier, or Oriole ?Attachment:
signature.asc
Description: This is a digitally signed message part.