[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Keysigning in times of COVID-19

Le jeudi, 6 août 2020, 17.54:21 h CEST Enrico Zini a écrit :
> What do you think could be alternative key signing policies, that would
> be acceptable to you, that would not require traveling and meeting face
> to face?

Several others have eloquently described key signing policies close to mine, 
but I'll phrase mine here nevertheless.

Since the rumbles of "someone showed up with either a fake passport, or a 
passport from a not-universally-recognised coutry at a keysigning party", I 
became quite dubious about key signing parties: I am not trained, skilled or 
equipped to validate identity papers from any country, and would probably be 
fooled by a reasonable copy of a swiss identity card. It's of much more value 
to me to get random non-official papers (a driving license, a business card, a 
library member card, etc) that are coherent between themselves: that at least 
shows an "identity continuity", that I would expect to be also coherent with 
the identity on the key.

The line I try to stick with is "crowd knowledge": is this person I'm about to 
sign the key of "known" as the name they claim to carry? Does their key "name" 
correspond to one or some of the names they go by? In recent times (during 
which physical encounters were still a possibility), I have actually asked 
someone else around "can you tell me the name of this person I'm about to sign 
the key of?" I have also often had a very small chit-chat: "what do you do in 
Debian / free software?", "what brought you here?". It's not an interview per 
se, but answers still matter.

Pseudonyms are totally OK for me, as long as the pseudos are in use: person A 
has an "official" "John Doe" identity, but they usually go as "Eric"; sign 
their emails with Eric, and get called by (free software) friends "Eric". In 
absence of any identity paper, provided they answer as "Eric", are known as 
"Eric", I would clearly sign their key even without any trace of John Doe 
anywhere. I don't need to know their "official" name is "John Doe", actually.

My own key is a good case for thought: my "Oriole" identity (and email) got 
signed a lot by DDs (but not always) despite me not mentionning this pseudonym 
of mine much, or at all: I am not known, nor would be called "Oriole" in 
Debian (but would likely respond to that name), but it's still an identity I 
carry in some circles.

Thanks for sparkling that conversation Enrico, it's very interesting!

    OdyX, or is it Didier, or Oriole ?

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to: