Hi Sam, On Fri, Aug 7, 2020 at 3:39 PM Sam Hartman <hartm...@debian.org> wrote:
> > TL;DR: I think without some link back to real world identity, we open > ourselves up to attacks where people build trust only to betray us. > I agree with you that this is a potentially-serious problem. However, I'm not sure that keysigning is the right place to address it. I've seen a number of comments, including yours, seemingly conflate the trust we place in the validity of a cryptographic key and the trust we place in someone during the NM process. I think it is important to distinguish between the two. So, I don't really care (much) how technically competent or hard-working someone is when I sign their key. Thanks to some great tools, it's fairly easy to verify that they do indeed control the email addresses tied to their key. That's what I care about at that point in time. Now, if they want me to sponsor them in the NM process, that's when I am going to take a much closer look at their work and their attitude and determine if we should grant them the level of trust that goes with completing that process. That is also where I humbly submit we should have some level of identity verification. I'm not sure what that should look like but the point is where it should take place. If we previously verified someone's identity and subsequently banned them from the project, the NM process seems like the logical place to ensure that such a person is not able to slip back into Debian. Centralized and standardized is much easier in a process administered by a few people (NM) than in a distributed process with substantial variability and no means of reliable QA (random keysigning party). -Olek
