Enrico, I find that the sorts of discussions that you've started are more valuable if someone goes back later and tries to summarize what we've learned. So I'm going to take a stab at that. I don't think we were seeking a consensus, and we didn't find one. What we did find is a number of approaches that seem to have sufficient support. If one of those works for you as a person contemplating signing a key, my take is that you should go for it. We received a number of different suggestions: * We could look at adopting some sort of more formal web of trust--sometimes permitting non-DD signatures to count toward trust in our key ring [Roberto C. Sánchez ] * There was a fair bit of discussion about video meetings. In general many people seemed to believe that these could be adequate. The counter argument is that it is difficult/impossible to explore the security features of government ID over such a meeting. Several people pointed out that most of us don't know how to test those security features anyway. I'd say that video meetings seem to have sufficient support that if you as an individual feel that meets your signing policy, go for it. * We had several people asking what value a government ID gives to us and suggesting that perhaps signing a long-established identity with a proven track record of work is acceptable. * Jonas provided a concrete suggestion for a rule that can apply in Covid although it does mean spending far more time interacting with people than someone who is anxious to get their key signed might want: >A rule that I try to apply for my key-signing, and which I think ties >into your interesting reflections here, is that I will sign the key of >someone whom I feel I would be able to recognize if randomly bumping >into them years later on a bus. >It forces me to try pay attention to the person for long enough that >they make a (hopefully) lasting impression on me. Often I suggest that >we sit for a moment and they tell something about themselves. Not an >interview or a test, just as an aid in etching an impression. Sometimes >we end up hanging out for longer than "needed". Sometimes the >atmosphere is too hectic and we cannot find the calm to tune in - and >then delay the "session". * Several people questioned whether government issued IDs are helpful. * We've had parts of this discussion before; see https://lists.debian.org/debian-project/2015/02/msg00017.html * Didier proposed another concrete rule that can work in the current times: >The line I try to stick with is "crowd knowledge": is this person I'm about to >sign the key of "known" as the name they claim to carry? Does their key "name" >correspond to one or some of the names they go by? In recent times (during >which physical encounters were still a possibility), I have actually asked >someone else around "can you tell me the name of this person I'm about to sign >the key of?" I have also often had a very small chit-chat: "what do you do in >Debian / free software?", "what brought you here?". It's not an interview per >se, but answers still matter. * Jonas pointed out that competence is different from authenticity. It is explicitly important that people be represented by a single identifier. * I expanded on that. We want to make it expensive for someone to build up an identifier with reputation and to risk that reputation by attacking Debian's integrity. That is, people spending a year to build trust and then burning that to get malicious artifacts into Debian is an attack I think we should care about. Binding identity back to a real world identity is one way to make this much more expensive. Each person only gets one real-world identity. If checking government IDs helps with that, then doing so can be useful. I point out that Jonas's rule is another way to accomplish the same. * Adrian Bunk indicated he thought that checking government IDs was an explicit requirement of all our key signings. It's clear from the discussion that's not the case. He then asked what the value was at all if there is not a single consistent approach. We kind of left him hanging without an answer. * Olek Wojnar and Jonathan McDowell proposed reframing the discussion in terms of our approach to identity verification rather than in terms of key signing policy.
Attachment:
signature.asc
Description: PGP signature