On Wed, 2007-05-09 at 09:33 +0100, Mark Brown wrote: > The big problem people have with the enormous keysigning parties from a > trust point of view is that they tend to be tiring and often a bit > hurried. This tends to reduce the quality of the ID checking that is > done substantially.
Yes, that's the main problem I see: most people seem to just go into automatic mode of "stare at name on ID, tick off as correct" (not really checking what the ID is/if it's valid/whatever, mostly not complaining if the person looks nothing like the ID photo). Indeed, anyone doing more extensive checks tends to get shouted at by others for slowing everyone else down with them. fil is optimistic about the filtering effect of the queue, but if people aren't all making valid independent decisions (as they're not in my experience) you should really just be signing everyone with some special key for that keysigning, that people can choose to trust, not pretending that each individual link is fully trustworthy. (If someone fools only 10% of people at a big keysigning into signing them as those people are in a rush etc., they've already got a lot of trusted signatures -- web-of-trust calculations will assume those were all checked independently.) At the dc6 keysigning there were a number of people who just ignored the instructions about not taking part if you hadn't checked the hash already (as they wanted to get signatures, and wouldn't have another chance as good soon), meaning that people signing them could mistakenly have been signing any key with no relation to that person. (I understand the same was true at the dc5 keysigning.) I tried asking people if they really really had checked it etc., but while some people admitted they hadn't, I'm not sure any of those actually stopped taking part in the keysigning. -- Moray _______________________________________________ Debconf-discuss mailing list [email protected] http://lists.debconf.org/mailman/listinfo/debconf-discuss
