Hi Enrico, thanks for bringing this up.
Quoting Enrico Zini (2020-08-06 17:54:21) > What do you think could be alternative key signing policies, that would be > acceptable to you, that would not require traveling and meeting face to face? I'm currently in the situation of sponsoring a very skilled prospective new DM with a couple of packages. My mentee is signing all their git commits and git tags as well as their emails to me with the same GPG key. This has now been going on for a few months. So I'm in the situation, that I know that somebody owning a certain private key is either (correct me if I'm wrong): - doing a lot of good work - being impersonated by an evil third party that always intercepts their contributions to Debian (git commits to salsa) as well as their (encrypted!) emails to me and replaces the signature with their own My question to you guys is: how valuable is it, that I (or anybody else) is meeting the individual owning this key in person and indeed verifies (how skilled are *you* in spotting a counterfeit ID?) that a nation state thinks that the person of such name does really exist. What added value does the connection to a government ID give to Debian? Why would it be wrong of me to sign the key of this person? No matter who is behind that key: the person with that key has shown to produce great contributions for a couple of months *or* there is a really dedicated evil person trying some scheme over a really long period of time with me. If the latter is the case, would a person with that much commitment not also be able to fool me with a fake national ID? So in my opinion (and please correct my assumptions if they are wrong), an acceptable key signing policy would also be one, where a prospective DM has shown over several months to produce work that is always signed with the same key and maybe even communicated (for example via email, maybe even encrypted) using that GPG key. Thanks! cheers, josch
signature.asc
Description: signature