[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Potential Summary: Keysigning in times of COVID-19

Enrico, I find that the sorts of discussions that you've  started are
more valuable if someone goes back later and tries to summarize what
we've learned.
So I'm going to take a stab at that.

I don't think we were seeking a consensus, and we didn't find one.  What
we did find is a number of approaches that seem to have sufficient
support.  If one of those works for you as a person contemplating
signing a key, my take is that you should go for it.

We received a number of different suggestions:

* We could look at adopting some sort of more formal web of
  trust--sometimes permitting non-DD signatures  to count toward trust
  in our key ring [Roberto C. Sánchez ]

* There was a fair bit of discussion about video meetings.  In general
  many people seemed to believe that these could be adequate.  The
  counter argument is that it is difficult/impossible to explore the
  security features of government ID over such a meeting.  Several
  people pointed out that most of us don't know how to test those
  security features anyway.  I'd say that video meetings seem to have
  sufficient support that if you as an individual feel that meets your
  signing policy, go for it.

* We had several people asking what value a government ID gives to us
  and suggesting that perhaps signing a long-established identity with a
  proven track record of work is acceptable.

* Jonas provided a concrete suggestion for a rule that can apply in
  Covid although it does mean spending far more time interacting with
  people than someone who is anxious to get their key signed might want:

>A rule that I try to apply for my key-signing, and which I think ties 
>into your interesting reflections here, is that I will sign the key of 
>someone whom I feel I would be able to recognize if randomly bumping 
>into them years later on a bus.

>It forces me to try pay attention to the person for long enough that 
>they make a (hopefully) lasting impression on me.  Often I suggest that 
>we sit for a moment and they tell something about themselves.  Not an 
>interview or a test, just as an aid in etching an impression.  Sometimes 
>we end up hanging out for longer than "needed".  Sometimes the 
>atmosphere is too hectic and we cannot find the calm to tune in - and 
>then delay the "session".

* Several people questioned whether government issued IDs are helpful.

* We've had parts of this  discussion before; see     https://lists.debian.org/debian-project/2015/02/msg00017.html

* Didier proposed another concrete rule that can work in the current times:

>The line I try to stick with is "crowd knowledge": is this person I'm about to 
>sign the key of "known" as the name they claim to carry? Does their key "name" 
>correspond to one or some of the names they go by? In recent times (during 
>which physical encounters were still a possibility), I have actually asked 
>someone else around "can you tell me the name of this person I'm about to sign 
>the key of?" I have also often had a very small chit-chat: "what do you do in 
>Debian / free software?", "what brought you here?". It's not an interview per 
>se, but answers still matter.

* Jonas pointed out that competence is different from authenticity.  It
is explicitly important that people be represented by a single

* I expanded on that.  We want to make it expensive for someone to build
  up an identifier with reputation and to risk that reputation by
  attacking Debian's integrity.  That is, people spending a year to
  build trust and then burning that to get malicious artifacts into
  Debian is an attack I think we should care about.  Binding identity
  back to a real world identity is one way to make this much more
  expensive.  Each person only gets one real-world identity.  If
  checking government IDs helps with that, then doing so can be useful.
  I point out that Jonas's rule is another way to accomplish the same.

* Adrian Bunk indicated he thought that checking government IDs was an
  explicit requirement of all our key signings.  It's clear from the
  discussion that's not the case.  He then asked what the value was at
  all if there is not a single consistent approach.  We kind of left him
  hanging without an answer.

* Olek Wojnar  and Jonathan McDowell  proposed reframing the discussion
  in terms of our approach to identity verification rather than in terms
  of key signing policy.

Attachment: signature.asc
Description: PGP signature

Reply to: