-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Manoj Srivastava wrote:
> Ask someone how the last big keysigning party (debconf6) was > subverted. It was not subverted IMO. Madduck played a little game, and some people decided to go with the herd and accept his ID. It would have been subverted if the person claiming to be madduck was in fact Manoj, say. I didn't sign madduck's key on that occasion, because I've already done so. I believe I did sign a new uid on his key, but that was on the strength of the fact that the person that I know to be madduck told me that he'd added the uid, and it was on a key that I'd already signed -- the validity of his ID was irrelevant to that decision. As a counter example, I remember that at least one person turned up with inadequate ID to the Helsinki massed-keysigning and were pretty rapidly ejected from the line. The reason this didn't happen to madduck is that he defused what would otherwise have turned into a hail of protest by being able to produce real ID on demand, and also because he really _is_ madduck. That being the case, I think you should treat the signatures generated by massed signings as _more_ valuable than average (for an averagely paranoid signer), since massed signings give a a herd immunity effect, where the people that are most paranoid about checking IDs raise the bar so that people that would otherwise be duped by dodgy ID are protected. Also, in the massed signings it is very likely that for any presented ID, there will be someone that is familiar with the format, and so be more likely to spot forgeries -- I suppose an interloper might try to deal with that by presenting one of several IDs to people, always choosing one that they would be unfamiliar with, but that would not get them past the more paranoid. Perhaps the only thing that needs to be added to the massed signings is the idea that people that present inadequate ID need to be loudly denounced and ejected from the line, so that to survive the procedure one's ID must match the _most_ exacting standards of those present. (obviously, we'd need to be able to deal with trolls who turn up and just reject everything regardless, but from the way that the ejection worked in Helsinki I'd say all we need to do is add some encouragement for people to make some noise about when you reject someone's ID) Cheers, Phil. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGQYZ2YgOKS92bmRARAoy/AJwPQlj16QQsjUoWEKL/lt8aXTWYfACfZYc6 PAbSEQ4Ug9On7RBT+fOJekY= =7Riv -----END PGP SIGNATURE----- _______________________________________________ Debconf-discuss mailing list [email protected] http://lists.debconf.org/mailman/listinfo/debconf-discuss
