home of the madduck/ blog/
On the point of keysigning

As during previous keysigning events, such as DebConf7 and DebConf6, I turned up to the LCA 2008 keysigning event with my ID card issued by the Transnational Republic.

Previously, this act has caused people to to get rather upset. I have explained my motivation and rationale in response to the thread; yet, my reputation as "keysigning subverter" precedes me. I maintain that I am not subverting the web of trust in any way.

I conduct this "experiment" mainly out of interest, and to sensibilise participants of the web of trust. Even though I stated previously that I would no longer attend keysigning events, I couldn't pass up this opportunity on the other side of the planet.

Fifty-seven people exchanged data and glances at ID cards with me. In total, 9 people asked about this ID card, mostly out of curiosity, but only one person flat out refused to sign my key. This leaves 47 who apparently accepted it.

If you disagree with my approach, please do not sign my keys, 0x330c4a75 and 0x667c7088 (but do read my arguments, please). I will not import signatures I receive for a while, so if you have already sent your signatures by the time you read this, send me a note and I'll delete them.

Keep in mind that you are not authenticating the ID. You are authenticating my identity. And unless we've interacted or you otherwise know who I am and that I am the same person as is using this key for the work through which you know me, you should not sign my key.

Also note that I continue to stick to my policy and will only sign keys of people that I "know". Thus, if you want my signature and we have not previously interacted, you have four more days until the conference is over.

Update: a couple of people replied, including Paul Wayper. I've since had an interesting discussion with him but still want to address two points in his post here:

The ID presented is not "fake", it is simply issued by an entity that is not considered "official". Its data are all correct, which I am happy to prove to anyone who cares.

Second: if the web of trust were to die if everyone did what I was doing, would it "live" forever and improve continuously if we continue such mass signings based entirely on IDs? Noone can know how to verify IDs from all countries that issue them, introducing "fakes" is trivial (as my experiment and this message hopefully show). I think it's a case of quality versus quantity. Whether you buy my point that you need to ask yourself what you are actually proving to the web of trust with your signature (and sign (or not) accordingly), or whether you are signing an identity (what is identity?), I would suggest to concentrate more on educating people. At the keysigning at DebConf7 in Edinburgh, we split people into smaller groups around well-connected keys. Within each group, prior to the keysigning, experienced key owners would take a short time to talk about the process and explain its goals. Specifically, they would make it explicit that there is no obligation to sign ones key, similar to what Jonathan said in this message prior to the LCA keysigning.

My experiment yielded a small discussion on the LCA chat mailing list, which is worth a read if you haven't seen it yet.