Hello Enrico, and thanks for bringing the discussion over here. Enrico Zini dijo [Thu, Aug 06, 2020 at 05:54:21PM +0200]: > Hello, > > we have people approaching Debian with a lack of GPG signatures, and we > generally cannot ask them to travel and meet other developers in person > to get their key signed. > > Technically, we are not requiring that people meet a DD in person, only > that people have their key signed by a DD. > > Technically, every DD has their own policies for signing keys, which > could go from not requiring meeting in person at all, to requiring to > meet in person multiple times. It might require to check a government > issued photo ID, or it might not. > > Practically, I feel like most of the time people's policies match what > are the perceived expectations of the rest of the project. Meeting in > person has always been a good safe bet, if only for the reson that it's > been accepted without question for many years. > > It's time to review those expectations. > (...) Enrico brought up this topic to DPL, DAM, front-desk and keyring-maint about two weeks ago. I will copy over what I answered back then: We have been rehashing many of the (great) arguments you present every now and then since... At least, I remember the point being brought up after the Yuge KSP from HEL at DC5, and the Transnational Republic incident of DC6. Our guidelines have been for many many many years that "everybody is free to set their own policy — but please be sensible and careful". We have never sent out an official announcement, either from DAM or from keyring-maint, about it... but AIUI we have been basically in agreement and explicitly said so at KSP introductions (I have, repeatedly). We have often mentioned positive examples (i.e. pseudonymous community members we completely trust). We have mentioned the ease to acquire forged or plainly fake official-looking IDs. So, where do I stand? I try not to sign keys for people I cannot recognize without looking at their papers. That means, my signing resembles a lot my group of friends, the group of peple we meet year after year in DebConf, plus some others I've bumped into now and then. IDs? Show them to me, I don't really mind, I have done many signings without looking at IDs. I know first-hand¹ that forging them is very easy. I also know some of our friends have a made-up identity. Some of those identities are close to twenty years old, at least. That's worth the same as a birth-given name in my book... And yes, I have often refused to sign people's keys when they approach me at a DebConf if we have not held significative interactions in the past. I usually insist that I do not sign at a first meeting. Although, yes, if meeting somebody at other ocassions, specially given Latin America is a quite PGP-sparse region... I tend to be a bit more flexible, to aid people getting connected and start contributing. And... Well, to the point at hand: Yes, I do think we have to rethink our policies. I don't have an answer right now, and most likely, I won't sign any keys during this DebConf. But as more of our activities are conducted online, we will have to start trusting videoconferences to prove identities. (of course... given deepfakes have been getting better and better... who knows? :-\ ) ¹ If you must know, >25 years ago I paid for a passport I should not have received. My personal data was correct, but back then, my country required a military service "clearance" I didn't have. I am not proud of having paid for an illegal document, and would not do it again. But it's part of what I learnt, and I am sure my experience would not change _too much_ going to other countries. More money to spend, perhaps...
Description: PGP signature