Re: Keysigning in times of COVID-19

To: Gunnar Wolf <gwolf@debian.org>
Cc: debian-project@lists.debian.org
Subject: Re: Keysigning in times of COVID-19
From: Adrian Bunk <bunk@debian.org>
Date: Mon, 10 Aug 2020 20:37:43 +0300
Message-id: <[🔎] 20200810173743.GC7488@localhost>
In-reply-to: <[🔎] 20200809052053.GD453625@mosca.iiec.unam.mx>
References: <[🔎] 20200806155421.vb6prsd7gyjnbhmd@enricozini.org> <[🔎] 20200807134618.GB27769@localhost> <[🔎] 20200809052053.GD453625@mosca.iiec.unam.mx>

On Sun, Aug 09, 2020 at 12:20:53AM -0500, Gunnar Wolf wrote:
> Adrian Bunk dijo [Fri, Aug 07, 2020 at 04:46:18PM +0300]:
> > Why are you requiring key signing at all when it has no defined semantics?
> > 
> > Many DDs check only the government issued photo ID for signing a key and 
> > this is also how keysigning parties work, but if this is considered 
> > optional there is do defined meaning to a signature.
> > 
> > If you as DAM do not have a problem if DDs have own policies that do not 
> > require checking a government issued photo ID, then I do not see why the 
> > key signing requirement exists at all.
> 
> FWIW, and as I said in my other mail - Each of the three keyring-maint
> members have different policies.
> 
> The word "trust" also has many different meanings and values, but we
> treat it as a binary thing here - Do two people trust the person
> controlling 0x0000DEADBEEF0000 to be Gunnar Wolf or not?
>...

What is the reason for this mapping of a key to a non-unique name?

The point can be made that Debian should know the legal name of
the people who are allowed to upload to the archive.

But this is defeated if it is permitted that I instead just certify by 
signing the key that I trust the person controlling 0x0000DEADBEEF0000 
is some real-life or online person using the name Gunnar Wolf without
verifying against a government issued photo ID.

If this is permitted, then anyone advocating for DM or DD should be 
expected to sign the key without checking any ID.
If I trust you to upload to the archive, then I should also trust 
that you are who you claim to be.

And without a strong reason for requiring identity verification,
the main "benefit" of the requirement of 2 signatures for which
most DDs require in-person meeting is that it reduces diversity
in Debian.

When you need signatures in a place with many DDs, you just check 
when and where the local open source meetup is, go there, and ask
who is a DD.
I can offer first-hand experience that this works.
And the two local DDs I knew from non-Debian contexts were not
even present.

But in places that do not already have too many DDs,
getting signatures can require real effort and expenses.

cu
Adrian

Reply to:

References:
- Keysigning in times of COVID-19
  - From: Enrico Zini <enrico@enricozini.org>
- Re: Keysigning in times of COVID-19
  - From: Adrian Bunk <bunk@debian.org>
- Re: Keysigning in times of COVID-19
  - From: Gunnar Wolf <gwolf@debian.org>

Prev by Date: Re: Keysigning in times of COVID-19
Next by Date: Re: Keysigning in times of COVID-19
Previous by thread: Re: Keysigning in times of COVID-19
Next by thread: Re: Keysigning in times of COVID-19
Index(es):
- Date
- Thread