Hello Enrico, and thanks for bringing the discussion over here.
Enrico Zini dijo [Thu, Aug 06, 2020 at 05:54:21PM +0200]:
> Hello,
>
> we have people approaching Debian with a lack of GPG signatures, and we
> generally cannot ask them to travel and meet other developers in person
> to get their key signed.
>
> Technically, we are not requiring that people meet a DD in person, only
> that people have their key signed by a DD.
>
> Technically, every DD has their own policies for signing keys, which
> could go from not requiring meeting in person at all, to requiring to
> meet in person multiple times. It might require to check a government
> issued photo ID, or it might not.
>
> Practically, I feel like most of the time people's policies match what
> are the perceived expectations of the rest of the project. Meeting in
> person has always been a good safe bet, if only for the reson that it's
> been accepted without question for many years.
>
> It's time to review those expectations.
> (...)
Enrico brought up this topic to DPL, DAM, front-desk and keyring-maint
about two weeks ago. I will copy over what I answered back then:
We have been rehashing many of the (great) arguments you present
every now and then since... At least, I remember the point being
brought up after the Yuge KSP from HEL at DC5, and the
Transnational Republic incident of DC6.
Our guidelines have been for many many many years that "everybody
is free to set their own policy — but please be sensible and
careful". We have never sent out an official announcement, either
from DAM or from keyring-maint, about it... but AIUI we have been
basically in agreement and explicitly said so at KSP introductions
(I have, repeatedly).
We have often mentioned positive examples (i.e. pseudonymous
community members we completely trust). We have mentioned the ease
to acquire forged or plainly fake official-looking IDs.
So, where do I stand? I try not to sign keys for people I cannot
recognize without looking at their papers. That means, my signing
resembles a lot my group of friends, the group of peple we meet year
after year in DebConf, plus some others I've bumped into now and
then. IDs? Show them to me, I don't really mind, I have done many
signings without looking at IDs. I know first-hand¹ that forging them
is very easy.
I also know some of our friends have a made-up identity. Some of those
identities are close to twenty years old, at least. That's worth the
same as a birth-given name in my book...
And yes, I have often refused to sign people's keys when they approach
me at a DebConf if we have not held significative interactions in the
past. I usually insist that I do not sign at a first
meeting. Although, yes, if meeting somebody at other ocassions,
specially given Latin America is a quite PGP-sparse region... I tend
to be a bit more flexible, to aid people getting connected and start
contributing.
And... Well, to the point at hand: Yes, I do think we have to rethink
our policies. I don't have an answer right now, and most likely, I
won't sign any keys during this DebConf. But as more of our activities
are conducted online, we will have to start trusting videoconferences
to prove identities.
(of course... given deepfakes have been getting better and
better... who knows? :-\ )
¹ If you must know, >25 years ago I paid for a passport I should not
have received. My personal data was correct, but back then, my
country required a military service "clearance" I didn't have. I am
not proud of having paid for an illegal document, and would not do
it again. But it's part of what I learnt, and I am sure my
experience would not change _too much_ going to other
countries. More money to spend, perhaps...
Attachment:
signature.asc
Description: PGP signature