Quoting Sam Hartman (2020-08-07 21:14:10) > > TL;DR: I think without some link back to real world identity, we open > ourselves up to attacks where people build trust only to betray us. > > >>>>> "Jonas" == Jonas Smedegaard <d...@jones.dk> writes: > > Jonas> Quoting Gerardo Ballabio (2020-08-07 10:34:20) > >> Johannes Schauer wrote: > Jonas> If ok for first round of several months collaboration was > Jonas> conducted without ties to governmental papers, then > Jonas> continuation should as well. > > Jonas> If you are not confident that the person is the same from > Jonas> coding style, text-chatting style, mimics in videochat etc., > Jonas> then apply same requirement as you did for first round: Trust > Jonas> only after several months of collaboration tied to the _new_ > Jonas> key. > > Jonas, first thanks for describing your rule about interacting with > someone enough that you'd recognize them later. > > I think that makes sense. I'm uncomfortable though with the idea that > someone could get their key signed by doing good work, lose the key and > get another key signed later by again doing good work. > That opens up attacks that I care about in our model of trust.
I agree. I feel that you are somewhat quoting me out of context: For the record, I do *not* find "several months of [remote] collaboration" adequate for trusting an identity. I simply repeated that criterium from the previous poster - the point I wanted to make was not to confirm the _concrete_ presented criterium, but instead that whatever criteria was adequate first time you met someone should be adequate the next time as well. Yes, we should try be aware of the risk of betrayal - but that can equally well happen at first encounter (I don't know everyone in Debian so some could fool me arguing they were "new"). And it can happen with a faked name and faked passport (I expect it to be *cheap* to fake a passport when not validating by looking up a central database). - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private
signature.asc
Description: signature
