At DebConf7, I took part in the keysigning party. Since keysigning is not about authenticating government-issued IDs, I took only my Transnational Republic identity card to the event.

The reactions I got were multifarious:

• some (most) people had heard the story from last year and joyfully checked off my name.

• a number of people challenged me to present a "real" ID, which I refused to do. They then told me they could not sign my key. I asked each to consider what it is they're signing: a statement about their perception of my identity, or a statement about their trust in the governments issuing "official" IDs. Given a second or two, most people would check off my name anyway. What's alarming is that in those cases I had the impression that they simply succumbed to my pressure without thinking about what I actually asked.

• several people didn't need to see my ID and checked off my name after I answered the question about having checked the hashes (which is also rather pointless).

• very few people checked off my name without knowing me or questioning the ID.

• two people smiled and checked the ID, but placed an X or question mark on their sheet.

• one person refused to inspect my ID and crossed out my name.

All in all, I am satisfied with the results and happy to see many more people questioning the web of trust, or at least the way in which we pretend to secure it.

Yet, I have come to the point where I will not take part in keysigning events anymore. The value of the web of trust is overrated, and with every single keysigning party, we just make things worse.

It was a good idea to separate folks into groups around well-connected keys to speed up the process, but the groups were still too large to allow for experienced people to pass knowledge to the lesser-experienced ones. Instead of taking part in the event with a critical eye, I saw people present three forms of identification ("does that mean you are really you, or just that you have more money than the other identify fraudsters?") or asking "trick questions" to verify the birthdate written on these documents ("someone ready to deceive an identity who went through the trouble to fake documents will surely have remembered their data").

I shall, in the future, only sign keys of people I already know, and with whom I've interacted before on a level to know bits about their life, personality, and project involvement. I will not require an ID to be presented. If this goes against your idea of the web of trust, please edit your trust database accordingly. My keys are 0x330c4a75 and 0x667c7088 (not yet used).

NP: Proto-Kaw: Before Became After

Site content are copyright © Martin F. Krafft. Please see the imprint.
I shall not be held liable for offending content in pages linking to or linked from site, nor do I endorse their content unless I stated otherwise.