-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Moray Allan wrote: > On Wed, 2007-05-09 at 09:33 +0100, Mark Brown wrote: >> The big problem people have with the enormous keysigning parties from a >> trust point of view is that they tend to be tiring and often a bit >> hurried. This tends to reduce the quality of the ID checking that is >> done substantially. > > Yes, that's the main problem I see: most people seem to just go into > automatic mode of "stare at name on ID, tick off as correct" (not really > checking what the ID is/if it's valid/whatever, mostly not complaining > if the person looks nothing like the ID photo). Indeed, anyone doing > more extensive checks tends to get shouted at by others for slowing > everyone else down with them.
This is a problem, and I agree that it becomes difficult to remain properly alert to the end of a signing. > fil is optimistic about the filtering effect of the queue, but if people > aren't all making valid independent decisions (as they're not in my > experience) you should really just be signing everyone with some special > key for that keysigning, that people can choose to trust, not pretending > that each individual link is fully trustworthy. This sounds like it might be an interesting idea, but given that the IDs need to be checked by individuals anyway, perhaps all you need to do is to make sure that the better connected people in the web-of-trust are evenly distributed through the line, and then only bother doing the rotation as many times as it takes for someone to get from one well signed person to the next -- that is liable to get everyone within about one trust hop of where they would get if the keysigning continued to the bitter end, so would be equivalent to having a keysigning key that all attendees signed and that signed all keys, without the single point of compromise. > (If someone fools only 10% of people at a big keysigning into signing > them as those people are in a rush etc., they've already got a lot of > trusted signatures -- web-of-trust calculations will assume those were > all checked independently.) Well, if they fool only 10% then they're liable to be rejected by at least 5 out of the first 10 people that they see, even if they're lucky -- if we encourage people to be vocal about their rejections, and to pass the fact of rejections on to their neighbours, I really don't see those people staying in the line, or the few people that had previously accepted the doubtful ID following through and signing that key. Perhaps we need to introduce a protocol for denouncing keys that are only supported by doubtful IDs, and to encourage people to make use of it. The reason people get laxer as such events go on is that they are aware that the person's ID has already been checked by an increasing number of people, so perhaps we should just curtail the whole thing after about 10 ID checks, or make it clear that after about the 10th check, it's perfectly acceptable to wander off. That, combined with some way of ensuring that missing people are not allowed to join in the line late (after ID check fatigue starts to set in) should sort the problem out, and speed things up as people wean themselves out as they get tired, rather than just doing cursory checks. > At the dc6 keysigning there were a number of people who just ignored the > instructions about not taking part if you hadn't checked the hash > already (as they wanted to get signatures, and wouldn't have another > chance as good soon), meaning that people signing them could mistakenly > have been signing any key with no relation to that person. (I > understand the same was true at the dc5 keysigning.) I tried asking > people if they really really had checked it etc., but while some people > admitted they hadn't, I'm not sure any of those actually stopped taking > part in the keysigning. Hm, that is a problem -- I got the impression that several such people quickly learnt that they could get their (or someone else's as the case may be) key signed by lying about having done the check -- there's not much that the potential signer can do about being lied to in that case -- adding the mechanism to denounce the key when you are told that it's not been checked would deal with this problem, since they'd then be kicked out of the line, and an announcement could be made for people to strike that key off, so that they cannot sneak back into the line later, and start lying. Cheers, Phil. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGQcOyYgOKS92bmRARAuAoAJ440qxCKCfsPdFuh+PEIi0S8ZdzUACdGBnS rn5Q09xVSC5rI1rFsHxNSyg= =ZOAa -----END PGP SIGNATURE----- _______________________________________________ Debconf-discuss mailing list [email protected] http://lists.debconf.org/mailman/listinfo/debconf-discuss
