Thanks for the summary, Sam. As an 'amicus' of the project, and interested on these topics, I wanted to provide my 2 cents.
First of all, you are not the only one with this situation. The issue arises from the vague meaning of a signature on a pgp key, and also appears on other venues when using a network of pgp signatures. Be that "the" WoT or an internal one of DD, as soon as you have many people acting as introducers, with slightly different criteria, it ends up with a somewhat diffuse meaning. I do think it is important to define what are the objectives of the Developers PGP keys. Is it to ensure that the same online entity is responsible for all the uploads of that named individual? So that if there is some questionable action it can be traced back to the responsible individual? To make it hard to "game" the project? To have a single identifier? On the topic of malicious activity, I should note that, while it is important that there is a cost of entry that would be "burned" by activities that went to undermine the project goal, and certainly a zero-cost approach would attract many trolls, it is not impossible for a determined attacker: - A single determined individual might be able to get several identities by identifying through different DD, either under the same or different alias. I'd also not consider entirely true that "Each person only gets one real-world identity", but I don't think corner cases would be needed, when cleverly presenting itself through different introducers could probably get them in. - A 'company' that had a specific interest to weaken Debian (perhaps so that its systems are easier to compromise, or because it competes with their own products), to the point of tasking a number of individuals to that end. This would probably be a bigger threat than the previous one as there would be an external motivation to do that which is financing such activity. Please note that by 'company' I am not meaning just business entities, but also three letter agencies, nation states, malicious hacker groups, mafia... Even ignoring the (likely) ability of such groups to get a passport under a name different than the one given at birth to an individual, it seems they would have little trouble to produce a new identity to present to Debian. I assume they would probably only have a few people on payroll with the required expertise tasked to infiltrate into the project, *however* it would be very easy to let them assume online the identity of any other employee (such as a non-technical receptionist), which would be plenty if compared to the number of "ghosthacker developers". Finally, some technical points: * PGP signatures can include notations. The main problem is that they are not standardized, but a number of them could be defined with the desired meanings "I have checked a Government ID", "Online only", "Long time online interaction", "COVID-19", "Verified that the key owner has access to the associated email", "Group key" * PGP signatures can include an expiration. It is often the case that it is set to the key expiration, but it would be possible to sign a key for only a few months (considering that after that time it will be possible to meet IRL again). * The piece about matching them with a legal identity (the equivalent to verify a Passport) could be done through the Government eID, at least for those in the European Union (see eIDAS regulation). It may be possible to generalise it to other countries through ePassport. Probably "fun" to make it work (both the client and the verification part), but a PGP key cryptographically linked to the Government PKI would be more than a DD looking at a passport. Best regards Ángel
signature.asc
Description: This is a digitally signed message part
