Nikolaus Rath dijo [Wed, Jun 22, 2016 at 07:58:43AM -0700]: > > Now, I have said this too many times, but once more: As keyring-maint, > > we are not collecting samples of people showing valid-looking ID > > documents to others. This is one of the issues why we don't have > > long-queue key signing parties: Just checking the ID of a complete > > stranger is not real identity validation. > > > > My personal guideline is that I will sign your key if and only if I > > see your face and can think of your name, and the opposite way > > around. > > Hmm. Can you explain that in a little more detail? > > As I understand, we'll have to meet a few times for beer until we > remember each others name, and then we sign keys - without ever having > verified if we've actually given our legal name.
Yes, I try to keep that as a guideline. Of course, were you to come to Mexico and meet me, or where I to travel to wherever you live, if we agree to meet for a beer or so and have a couple of hours chatting about what we do and want in Debian or in life... I guess I'd have a much better recollection on your face than if we had met at a massive key-signing party. In said case, however, I would resort to verifying your identity on some official-looking papers. It is not what *I* regard as best, but it's the closest available. Living over 1000Km from the nearest DD, I know firsthand that some people can have a hard time getting signatures, and I will be flexible if needed. But those special cases will more probably "make it" to my long-term memory. > I'm a little confused as to what sort of malicious activity this is > intended to stop/make more difficult...? I want to ensure people actually are known by the identity I sign. The best way to do it is to interact in their social circle and know other people that trust this person's identity. Of course, that's often impossible. A second-best would be to meet you repeatedly throughout some time period, with you having the same identity. That's what I do most of the time: I know the names or pseudonyms of people in Debian and in my local LUGs. I will sign according to those. Government-issued IDs are, IMO, a distant third. What can a malicious user do? Say, you detect that Foob Arski is a MIA Debian Developer and his mail address bounces. I can point you to several places in my city where you can print genuine-looking fake IDs. Get a drivers license or so going by Foob's name, come to me, I'll sign your key. Do the same with one other DD. Then ask DAM to change your mail in db.debian.org, and ask keyring-maint to change your GPG key. There, you have successfully impersonated a MIA DD, and got upload, machine usage and voting rights in Debian.
