[EMAIL PROTECTED] said: >> Should I sign his key ? > > No. Request that he adds an UID to his key with his name as it appears on > his documents (the name that he would have in a international travel pass, > for example), and sign THAT UID (and any others you have verified to be > completely true).
I think this needs more consideration. What is being signed into the trust web is an "identity". That can (and should) be independent of real name. Why? Because there are people in the world who live in countries or situations where they cannot safely reveal their real life identity. If someone's gpg has the name "John Doe", you should indeed verify by means of state-issued ID that they are indeed John Doe. But that is not what makes them trustworthy to debian. What is more important is that the holder of the John Doe key has proven themselves worthy of trust, by having an established history of doing competent work for debian. If you think about it, a trustworthy pseudonym with a history of doing good work (with that work gpg-signed by that pseudonym, of course) is _harder_ to fake than a "real" state-issued ID. As long as someone has properly established a trustworthy pseudonym, I can't think of any reason why they shouldn't be signed into the debian web of trust. Is there anything wrong with that reasoning? Jason -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
