home of the madduck/ blog/
Keysigning in Edinburgh

At DebConf7, I took part in the keysigning party. Since keysigning is not about authenticating government-issued IDs, I took only my Transnational Republic identity card to the event.

The reactions I got were multifarious:

All in all, I am satisfied with the results and happy to see many more people questioning the web of trust, or at least the way in which we pretend to secure it.

Yet, I have come to the point where I will not take part in keysigning events anymore. The value of the web of trust is overrated, and with every single keysigning party, we just make things worse.

It was a good idea to separate folks into groups around well-connected keys to speed up the process, but the groups were still too large to allow for experienced people to pass knowledge to the lesser-experienced ones. Instead of taking part in the event with a critical eye, I saw people present three forms of identification ("does that mean you are really you, or just that you have more money than the other identify fraudsters?") or asking "trick questions" to verify the birthdate written on these documents ("someone ready to deceive an identity who went through the trouble to fake documents will surely have remembered their data").

I shall, in the future, only sign keys of people I already know, and with whom I've interacted before on a level to know bits about their life, personality, and project involvement. I will not require an ID to be presented. If this goes against your idea of the web of trust, please edit your trust database accordingly. My keys are 0x330c4a75 and 0x667c7088 (not yet used).

NP: Proto-Kaw: Before Became After