On Fri, Jun 19, 2009 at 09:37:57PM +0300, Eddy Petrișor wrote: > Before the KSP, thanks to your old posts I decided I would only sign > keys for people that I at least saw (talked to) once before and who > appeared to be who they claimed to be in the view of the other > people present there. OTOH, for people visibly chasing signatures or > being sloppy when checking the ID or not even looking at me, I > decided I will not sign their keys.
Maybe I'm a strange bird here, but I really can't say I agree with the
arguments made here against signing keys after verifying government
issued passports.
I think having verified a government-issued passport (that looks
authentic enough) and that the bearer resembles enough the photo on
that passport is much better than not having a well connected web of
trust.
If we want to get into the paranoid realm of some kind of government
agents who aren't who they claim to be, I think they will find a way
inside such an open project as Debian no matter what the key signing
policies of people.
The point is, my signature is good for a declaration that I have
verified the passport of a person and compared the photo to the face.
Whether someone then trusts that signature or not (and to what extent)
is of course their decision, but if I only signed keys of people I
know since childhood, it would make the web of trust much weaker and
trust paths to other people who I don't know very long with lots of
signatures from people who I don't know for no real benefit.
> Some of those people decided to sign my key although I had no
> contact with them before or after the KSP.
>
> IMO, *that* is plain wrong!
It's exactly what I consider good policy, if your ID looks good
enough.
Sami
signature.asc
Description: Digital signature
_______________________________________________ Debconf-discuss mailing list [email protected] http://lists.debconf.org/mailman/listinfo/debconf-discuss
