2009/6/17 martin f krafft <[email protected]>: > also sprach Philip Hands <[email protected]> [2009.06.17.1126 +0200]: >> The reason that I suggest shouting is, that despite that meaning >> that there may be a certain amount of chaos at the start as the >> dodgy keys are flushed out, it will establish a norm of rejecting >> dodgy ID, which should work against the default group-think that >> would be encouraging people not to make a fuss, and so err on the >> side of generosity. > > On the subject of a dodgy ID: > > http://lists.debian.org/debian-devel/2006/05/msg01463.html > > and of course > > http://madduck.net/blog/2006.05.27:keysigning-again/ > http://madduck.net/blog/2007.06.27:keysigning-in-edinburgh/ > http://madduck.net/blog/2008.01.28:on-the-point-of-keysigning/
I was one of the guys who immediately recognised you at the KSP in Edinburgh and I have no idea how you interpreted my reaction. I remember asking for a real ID after openly recognising your Transnational Republic ID, then you asked me why I think that makes any difference. Before the KSP, thanks to your old posts I decided I would only sign keys for people that I at least saw (talked to) once before and who appeared to be who they claimed to be in the view of the other people present there. OTOH, for people visibly chasing signatures or being sloppy when checking the ID or not even looking at me, I decided I will not sign their keys. >> This would also eliminate people that have fake ID from places >> that most people wouldn't recognise at all -- we're almost bound >> to have a local that will recognise it as fake, and so not sign. >> By adding the denouncement procedure that key will get signed by >> nobody at the key signing, rather then getting signed by quite >> a lot of the people who would have been convinced. > > You are putting *way* too much weight and importance into the > government-issued document, and basically none into the identity of > the holder. Seriously: we're supposed to be certifying identities, > not the authenticity of a government document. Indeed, some people at the KSP were visibly not familiar with the Romanian passport, and although it looked like many other passports, that document is in no way a warranty that I am acting in good faith *within*Debian* and that they are actually seeing the person that claims to be Eddy Petrișor in the Debian sphere. Some of those people decided to sign my key although I had no contact with them before or after the KSP. IMO, *that* is plain wrong! Good thing that I revoked that key meanwhile. > The only real improvement I know thus far is small groups around > people with well-connected keys (cf. Edinburgh), and a short (!), > mandatory lecture up front on what keysigning endeavours to achieve, > and where the weaknesses are. I know I appreciated Don's explanations on why only checking the SHA1 sum[1] and cross confirming the SHA1 and fingerprint were correct were enough to make sure I and any other person were talking at all times about the same pair of keys. Also, I remember asking later more knowledgeable people about how and why *they* consider a key as signing worthy at any given point in time. [1] on the condition that I printed myself the document on a trusted printer -- Regards, EddyP ============================================= "Imagination is more important than knowledge" A.Einstein _______________________________________________ Debconf-discuss mailing list [email protected] http://lists.debconf.org/mailman/listinfo/debconf-discuss
