On Thu, Aug 06, 2020 at 05:54:21PM +0200, Enrico Zini wrote: > What do you think could be alternative key signing policies, that > would be acceptable to you, that would not require traveling and > meeting face to face?
I don't have specific suggestions for a key signing policy but I wrote this some years ago when this topic came up and I think it's worth remembering it: The main purpose of signing someone's key is not to show that you know that person, but to confirm that the key belongs to the person whose name and e-mail address appear on it. That means that your communicate with that person in a trusted way, not that you necessarily have to trust what they do. And it doesn't even matter if the name written on the key is the same that appears on the passport or ID card (people can use a different name for a variety of reasons). I did not become a Debian developer because I had several signatures on my key but because I spent some time contributing to Debian and packaging software, then I got to know other developers, they learned to trust me, they considered that the work that I had done was good enough, then advocated me, then I went into a lengthy interview with several technical and philosophical questions, and only after that I became a member. The PGP key was just a tool to make the communication more reliable, and as a matter of fact many of my interactions with other people from Debian (IRC, bug tracker) is not done in any cryptographically secure way. Berto