home of the madduck/ blog/
A non-official ID at the keysigning

Sometime during the Debconf6 keysigning party, I swapped my official German ID card (which some didn't accept and wanted to see a passport instead...) with my ID card issued by the Transnational Republic, as part of an ongoing experiment I conduct at various keysigning parties.

I got the ID at Debian's 10th anniversary party in Zurich (which I attended on crutches, despite it being held on the rooftop of a club), and the process required the exchange of some currency as well as presentation of my passport to TR officials. The card itself looks very similar to the German ID card; it does correctly list my personal data and has my photo on it. However, it cannot really be considered an official identity card, because it was issued by an independent political group. Then again, read further down for what "official" can mean in some parts of the world.

At the keysigning, I marked down those (few) who actually took note of the ID and refused to accept it: only one in ten did.

What does this mean? I do not think it means that nine out of ten signing my key do not take keysigning seriously (or don't have a clue about it); you cannot expect people to know the look of the different passports of the various nations represented at the party. It also does not mean that the web of trust is flawed.

To me, the most significant outcome of my little experiment is (and has always been) that a single signature won't do; a single trust path is not enough to verify a person's identity (as in: they are who they claim to be), but every additional trust path serves to strengthen the verification.

The Debian project largely depends on the web of trust. Thus, I wonder whether our requirement of a GPG key signed by a single existing developer is enough for the general case. I am not quite ready to raise this issue yet within the project, but at least many more people now know about it (if they didn't previously).

Those of you who have signed my key may feel cheated at this point. Similarly, those of you who have not yet signed my key may feel disinclined. If you are interested whether you were among those who accepted the inofficial ID, I'd be glad to let you know if you ask. If you do not feel comfortable signing my key, just don't sign it. And if you did already sign my key, you can revoke the signature.

However, do consider what some folks told me in discussions following the experiment: there are nations out there who will readily issue IDs with unrecognisable photos, IDs with misspelt names, without expiration date, and multiple IDs at a time.

In the case I illustrated above, I simply introduced a third, untrusted-by-Debian party into the web of trust: the Transnational Republic. In a way, this is what's happening whenever we sign keys by nationals of governments we do not trust, and I'd hope that would be most governments of this globe for most everyone. Then again, as Micah and Biella vigorously assert, it's only really about you and the signer: you are who you claim to be, and I either believe it or not. The government only takes a tangential role.

So what to do? If you care for my opinion (which you do, you're still reading), then we should just keep on doing what we're doing and collect more keys (with that I mean everyone). At the same time, I do not think threads like this are necessary; the criticism/concern is valid, but it's too academic for the real-world problem that keysigning is trying to solve.