home of the madduck/ blog/
Aftereffects of the keysigning experiment

The experiment I conducted at the last keysigning party caused this thread (cross-posted to here). While the discussion has long gone way off-topic, some interesting points have been raised. I also took the opportunity to clarify my point of view a bit on the issue over the previous blog post:

The Debian project heavily relies on keysigning for much of its work. However, I think the question what the signing of a key actually accomplishes has not been properly addressed. In my opinion, from the point of view of the Debian project, a person's actual identity (as in the name on your birth certificate) matters very little; the Debian project does not actively interfere with a person's real life in such a way as to require the birth certificate identity (legal cases, liability issues, etc.).

Moreover, it's rather trivial in several countries of this world to change your official name. In this context, even the claim that in the case of a trust abuse, your reputation throughout the FLOSS community (and the rest of the Internet) should be properly tarnished, does not stand, IMHO.

From within the project, what matters is that everything you do within the project can be attributed to one and the same person: the same person that went through our NM process. The GPG key is one technical measure to allow for this form of identification. Its purpose is not, as Micah Anderson states, a means to confirm the validity of a government-issued ID.

This brings me to a point which Andreas Schuldei nicely stated at the beginning of the thread (as did others throughout):

I do not need an ID to identify martin, so i dont need to rely on his (forged or real) passport or other id from him in order to sign his key. If you did not know him before you should not sign his key (if your judgement was based on the unofficial ID).

When Andreas signs my ID, he voices his trust in that I am who I claim to be, and he does so not because I presented him with an ID with the claimed name, but because we've interacted many times before. In that line, Gunnar's point stands:

Maybe we should just drop holding KSPs, and fall back to the traditional method of "Hey, nice dinner we had yesterday. Say, now that you know me, my family and my history, would you like to sign my key as well?" - Signing for people you actually know, not just linking

In my eyes, this is exactly what a keysigning is and should be all about: a statement of familiarity with a person, nothing more and nothing less. And as a project, we should either accept that, or find a better way to identify our developers.

So what to do in this very situation? Should you revoke your signature from my key (or not even sign it in the first place)? Should you revoke or refuse signatures to all participants, because some claim the keysigning party to have been subverted? I think the answer to both cases should be: no, unless you have not previously known the person whose key you wish to sign. That's exactly what makes this decision very subjective, and a public call such as the original post rather unnecessary and missing the point.

If you do not care to read the entire thread, here are some of the better replies (in no particular order):

One question that arouse while reading this thread is whether Debian could actually persecute one of its members for computer fraud/sabotage/whatever on an international level. And if so, would the real identity really help that much, given that we'll have countless IP addresses to go by? I know it would make things easier (despite it being only a name, no identity, as there is not birthplace or birthdate), but is it worth the hassle?