TL;DR: I think without some link back to real world identity, we open ourselves up to attacks where people build trust only to betray us. >>>>> "Jonas" == Jonas Smedegaard <dr@jones.dk> writes: Jonas> Quoting Gerardo Ballabio (2020-08-07 10:34:20) >> Johannes Schauer wrote: Jonas> If ok for first round of several months collaboration was Jonas> conducted without ties to governmental papers, then Jonas> continuation should as well. Jonas> If you are not confident that the person is the same from Jonas> coding style, text-chatting style, mimics in videochat etc., Jonas> then apply same requirement as you did for first round: Trust Jonas> only after several months of collaboration tied to the _new_ Jonas> key. Jonas, first thanks for describing your rule about interacting with someone enough that you'd recognize them later. I think that makes sense. I'm uncomfortable though with the idea that someone could get their key signed by doing good work, lose the key and get another key signed later by again doing good work. That opens up attacks that I care about in our model of trust. The threat I care about that I hope key signing will help protect us from is the threat of someone intentionally decreasing the integrity of Debian. That is, someone includes malicious code (or similarly undermines our reputation). In my mind, we want to require 1) That someone builds up a significant positive reputation and 2) That it would be costly for them to burn that reputation to maount an attack. In this model the advantage of trying to tie a key back to a real-world identity is that we only get one of those. No matter how much good work I do in the future, I cannot escape a betrayal of trust if we tie it back to Sam Hartman. But if we don't tie it back, let's say I do a year's worth of good work as DebianDude and eventually get my key signed. I can burn that reputation for an attack, having lost a year, but not lost my future possibility of spending another year and getting trusted again (possibly for another attack). An attacker might be much more willing to burn their DebianDude reputation than their Sam Hartman reputation. Now, that real world identity might not even need to be a real name. If you're going to recognize the person, know that you've already signed their key, that's probably enough. You can think think about whether this is a legitimate and harmless identifier change or whether this is an attempt to cause harm. But you can consider all the identities you've known and link it back to the person. For me, that linking is key to key signing being valuable.
Attachment:
signature.asc
Description: PGP signature