[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Keysigning in times of COVID-19

On Thu, Aug 06, 2020 at 05:54:21PM +0200, Enrico Zini wrote:
> What do you think could be alternative key signing policies, that
> would be acceptable to you, that would not require traveling and
> meeting face to face?

I don't have specific suggestions for a key signing policy but I wrote
this some years ago when this topic came up and I think it's worth
remembering it:

The main purpose of signing someone's key is not to show that you know
that person, but to confirm that the key belongs to the person whose
name and e-mail address appear on it. That means that your communicate
with that person in a trusted way, not that you necessarily have to
trust what they do. And it doesn't even matter if the name written on
the key is the same that appears on the passport or ID card (people
can use a different name for a variety of reasons).

I did not become a Debian developer because I had several signatures
on my key but because I spent some time contributing to Debian and
packaging software, then I got to know other developers, they learned
to trust me, they considered that the work that I had done was good
enough, then advocated me, then I went into a lengthy interview
with several technical and philosophical questions, and only after
that I became a member. The PGP key was just a tool to make the
communication more reliable, and as a matter of fact many of my
interactions with other people from Debian (IRC, bug tracker) is not
done in any cryptographically secure way.


Reply to: