I took a wack at revising the instructions. They are in the docs
directory of the
contributors' repository. I was going for clarity and to respond to
some feedback
along the same lines as yours. See what you think; edit the file -
please!
On Wednesday, October 15, 2003, at 12:58 AM, Sander Temme wrote:
>> I assume that people more knowledgeable than I will critique this, but
>> this works for me...
>
> I don't know if I'm more knowledgeable, but I have in the past
> volunteered
> to set up a centrally organized keysigning party at Apachecon, and
> still
> intend to do so if the planners will have me...
I'm not in that loop. I doubt you need permission. I say go for it!
> Note that this centrally organized keysigning does not in any way
> monopolize
> the signing of keys: people are welcome, and in fact encouraged, to
> sign
> each others' keys on an individual basis. The event will merely aim to
> streamline the identification process.
hear hear
>> ...
>> When you encounter folks who might sign your key offer them the scrap
>> of paper with your finger print on it and ask for one in return.
>> Always ask to see some official (picture, goverment, etc) ID. You
>> might be tempted to ask for official ID only when your less than
>> absolutely certain that you know who your dealing with. By always
>> asking you both set a good precedent and you don't have to be admit
>> when you are or entirely aren't certain about somebody's identity.
>> That can be embarrassing.
>
> I do not see why we should trust the government to say who we are, but
> they
> frequently claim they can. In fact, this document contradicts itself;
> see
> below.
I rewrote all that section.
>> Later, but soon, you should: (a) find their key, (b) sign it and (c)
>> upload the result back to the key server you down loaded it from in
>> step (a). Your done, your cool. With luck they will get around to
>> signing your key at some point too.
>
> I actually advocate mailing the signed key back to its owner. This
> action
> may just prod the owner into returning the favour. The owner can then
> choose
> to upload their key with your (and perhaps other) new signatures on it.
Interesting. I like to go straight back to the key server so the
network grows.
I think emailing back to the key owner at the same time would be a
can't hurt.
As a nearly irrelevant aside - I'm ambivalent about reciprocity in a
gift community.
>> Signing a key does not indicate that you "trust" the person. It only
>> indicates that you believe that key is associated with the correct
>> person. In fact it's valuable to the whole network of signatures if
>> you sign the keys of members of other communities. So signing the
>> keys
>> of near strangers is a good thing. Just be confident of their
>> identity.
>
> Why would we have to be confident of their identity? Immediately
> above, you
> just say that "you believe that key is associated with the correct
> person".
> So we vouch for the connection between that particular carbon-based
> lifeform
> and said key. Why would we care who the state or country that they
> come from
> says they are?
hm. this stuff is such a pain to talk about because the words all have
such complex real world meanings. In my latest rewrite I tried a
different way of stating the rules of the road. I'm not comfortable
signing keys of people who have labeled the key with a pseudonym;
particularly one that might be mistaken for a real person. I might
make exceptions. Exceptionally large rodent, maybe; imperialist weasel,
doubtful.
> S. (thinks he's not paranoid enough)
- ben (who thinks that the web of PGP signatures doesn't grow because
people can't figure out the rules and are embaressed to admit it)
---------------------------------------------------------------------
To unsubscribe, e-mail: community-unsubscribe@apache.org
For additional commands, e-mail: community-help@apache.org
|