Le jeudi, 6 août 2020, 17.54:21 h CEST Enrico Zini a écrit : > What do you think could be alternative key signing policies, that would > be acceptable to you, that would not require traveling and meeting face > to face? Several others have eloquently described key signing policies close to mine, but I'll phrase mine here nevertheless. Since the rumbles of "someone showed up with either a fake passport, or a passport from a not-universally-recognised coutry at a keysigning party", I became quite dubious about key signing parties: I am not trained, skilled or equipped to validate identity papers from any country, and would probably be fooled by a reasonable copy of a swiss identity card. It's of much more value to me to get random non-official papers (a driving license, a business card, a library member card, etc) that are coherent between themselves: that at least shows an "identity continuity", that I would expect to be also coherent with the identity on the key. The line I try to stick with is "crowd knowledge": is this person I'm about to sign the key of "known" as the name they claim to carry? Does their key "name" correspond to one or some of the names they go by? In recent times (during which physical encounters were still a possibility), I have actually asked someone else around "can you tell me the name of this person I'm about to sign the key of?" I have also often had a very small chit-chat: "what do you do in Debian / free software?", "what brought you here?". It's not an interview per se, but answers still matter. Pseudonyms are totally OK for me, as long as the pseudos are in use: person A has an "official" "John Doe" identity, but they usually go as "Eric"; sign their emails with Eric, and get called by (free software) friends "Eric". In absence of any identity paper, provided they answer as "Eric", are known as "Eric", I would clearly sign their key even without any trace of John Doe anywhere. I don't need to know their "official" name is "John Doe", actually. My own key is a good case for thought: my "Oriole" identity (and email) got signed a lot by DDs (but not always) despite me not mentionning this pseudonym of mine much, or at all: I am not known, nor would be called "Oriole" in Debian (but would likely respond to that name), but it's still an identity I carry in some circles. Thanks for sparkling that conversation Enrico, it's very interesting! Cheers, OdyX, or is it Didier, or Oriole ?
Description: This is a digitally signed message part.