[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Keysigning in times of COVID-19

Hello Enrico, and thanks for bringing the discussion over here.

Enrico Zini dijo [Thu, Aug 06, 2020 at 05:54:21PM +0200]:
> Hello,
> we have people approaching Debian with a lack of GPG signatures, and we
> generally cannot ask them to travel and meet other developers in person
> to get their key signed.
> Technically, we are not requiring that people meet a DD in person, only
> that people have their key signed by a DD.
> Technically, every DD has their own policies for signing keys, which
> could go from not requiring meeting in person at all, to requiring to
> meet in person multiple times. It might require to check a government
> issued photo ID, or it might not.
> Practically, I feel like most of the time people's policies match what
> are the perceived expectations of the rest of the project. Meeting in
> person has always been a good safe bet, if only for the reson that it's
> been accepted without question for many years.
> It's time to review those expectations.
> (...)

Enrico brought up this topic to DPL, DAM, front-desk and keyring-maint
about two weeks ago. I will copy over what I answered back then:

    We have been rehashing many of the (great) arguments you present
    every now and then since... At least, I remember the point being
    brought up after the Yuge KSP from HEL at DC5, and the
    Transnational Republic incident of DC6.

    Our guidelines have been for many many many years that "everybody
    is free to set their own policy — but please be sensible and
    careful". We have never sent out an official announcement, either
    from DAM or from keyring-maint, about it... but AIUI we have been
    basically in agreement and explicitly said so at KSP introductions
    (I have, repeatedly).

    We have often mentioned positive examples (i.e. pseudonymous
    community members we completely trust). We have mentioned the ease
    to acquire forged or plainly fake official-looking IDs.

So, where do I stand? I try not to sign keys for people I cannot
recognize without looking at their papers. That means, my signing
resembles a lot my group of friends, the group of peple we meet year
after year in DebConf, plus some others I've bumped into now and
then. IDs? Show them to me, I don't really mind, I have done many
signings without looking at IDs. I know first-hand¹ that forging them
is very easy.

I also know some of our friends have a made-up identity. Some of those
identities are close to twenty years old, at least. That's worth the
same as a birth-given name in my book...

And yes, I have often refused to sign people's keys when they approach
me at a DebConf if we have not held significative interactions in the
past. I usually insist that I do not sign at a first
meeting. Although, yes, if meeting somebody at other ocassions,
specially given Latin America is a quite PGP-sparse region... I tend
to be a bit more flexible, to aid people getting connected and start

And... Well, to the point at hand: Yes, I do think we have to rethink
our policies. I don't have an answer right now, and most likely, I
won't sign any keys during this DebConf. But as more of our activities
are conducted online, we will have to start trusting videoconferences
to prove identities.

(of course... given deepfakes have been getting better and
better... who knows? :-\ )

¹ If you must know, >25 years ago I paid for a passport I should not
  have received. My personal data was correct, but back then, my
  country required a military service "clearance" I didn't have. I am
  not proud of having paid for an illegal document, and would not do
  it again. But it's part of what I learnt, and I am sure my
  experience would not change _too much_ going to other
  countries. More money to spend, perhaps...

Attachment: signature.asc
Description: PGP signature

Reply to: