TL;DR: I think without some link back to real world identity, we open
ourselves up to attacks where people build trust only to betray us.
>>>>> "Jonas" == Jonas Smedegaard <dr@jones.dk> writes:
Jonas> Quoting Gerardo Ballabio (2020-08-07 10:34:20)
>> Johannes Schauer wrote:
Jonas> If ok for first round of several months collaboration was
Jonas> conducted without ties to governmental papers, then
Jonas> continuation should as well.
Jonas> If you are not confident that the person is the same from
Jonas> coding style, text-chatting style, mimics in videochat etc.,
Jonas> then apply same requirement as you did for first round: Trust
Jonas> only after several months of collaboration tied to the _new_
Jonas> key.
Jonas, first thanks for describing your rule about interacting with
someone enough that you'd recognize them later.
I think that makes sense. I'm uncomfortable though with the idea that
someone could get their key signed by doing good work, lose the key and
get another key signed later by again doing good work.
That opens up attacks that I care about in our model of trust.
The threat I care about that I hope key signing will help protect us
from is the threat of someone intentionally decreasing the integrity of
Debian. That is, someone includes malicious code (or similarly
undermines our reputation).
In my mind, we want to require
1) That someone builds up a significant positive reputation
and
2) That it would be costly for them to burn that reputation to maount
an attack.
In this model the advantage of trying to tie a key back to a real-world
identity is that we only get one of those.
No matter how much good work I do in the future, I cannot escape a
betrayal of trust if we tie it back to Sam Hartman.
But if we don't tie it back, let's say I do a year's worth of good work
as DebianDude and eventually get my key signed.
I can burn that reputation for an attack, having lost a year, but not
lost my future possibility of spending another year and getting trusted
again (possibly for another attack).
An attacker might be much more willing to burn their DebianDude
reputation than their Sam Hartman reputation.
Now, that real world identity might not even need to be a real name.
If you're going to recognize the person, know that you've already signed
their key, that's probably enough.
You can think think about whether this is a legitimate and harmless
identifier change or whether this is an attempt to cause harm. But you
can consider all the identities you've known and link it back to the
person.
For me, that linking is key to key signing being valuable.
Attachment:
signature.asc
Description: PGP signature