On Mon, Jul 25, 2016 at 11:46:45AM -0500, Gunnar Wolf wrote: > [...] Signing an identity must > mean that you verified the identity in a nontrivial way. Signing > somebody you have not directly interacted with at all is wrong in my > eyes.
I agree.
> But, again, find two DDs with active keys in the keyring with personal
> policies different than mine, and I will accept it. Hell, I won't even
> be able to know about it :)
while I appreciate that you accept keys signed with other policies than
yours, I don't think keyring maintainers should be willing to accept
*all* signatures done by DDs.
(And I do see the problem that you cannot know everything…)
But still, if you *hear* some signatures have been done under fishy
circumstances, I *do* think you should object.
Else I^wsomeones may be tempted to try to game the system…
IOW: please don't state you'd be willing to accept *any* signatures done
by two DDs… maybe just adding a single word and saying "you'd *almost* be
willing…" is enough to make the difference I think is important here.
I fully understand your POV but if I were to take a similar stance,
namely "I will sign any key presented under any ID to me, because I have
no means whatsoever to properly verify IDs anyway" and if there then
were several DDs with that policy… I dont think that would be good. And
it would be worse if our keyring maintainers were to accept those IDs
into Debian.
--
cheers,
Holger, with no clear signing policy… (I mostly only sign keys
from people I know offline+online, but I do make
frequent exceptions from that… and what means knowing a
person anyway…)
signature.asc
Description: Digital signature
