[openstack-dev] [all] Key signing at the summit?

Clint Byrum clint at fewbar.com
Tue Nov 11 00:36:19 UTC 2014


Excerpts from Thomas Goirand's message of 2014-11-10 16:26:30 -0800:
> On 10/27/2014 10:45 PM, Jeremy Stanley wrote:
> > If there is interest in doing another Sassaman-Projected Method
> > exercise at future events
> 
> I really wish we do *not* reproduce what happened in Atlanta.
> 
> We had a few seconds to check IDs, and sorry, but I'm not familiar with
> most US driver's licenses. It went so fast that I couldn't even catch up
> with my printed list checkmarks.
> 
> I also usually don't trust government IDs in general, and I very much
> prefer to know people, and check that there's others in the project that
> can vouch for their identity.
> 
> Even better: I usually don't sign *at all* the keys from the people I
> wont recognize if I see them again. Otherwise, I don't see the point at
> all, if we just sign the keys of everyone in the room. We then better
> have just an OpenStack keyring, just like there's a Debian developer
> keyring, on which we delegate the trust to some kind of organization
> (but this needs to be used for something...).
> 
> If we do another key signing party in Vancouver, then I propose that:
> 
> 1/ We take enough time (1 hour is the bare minimum)
> 2/ We use that time so we can gather in small groups of people that we
> don't know, and take the time to present ourselves to others, and tell
> what we do, who we are, etc.
> 
> It doesn't mater if we end-up signing a lot less keys. And for those
> persons which we know already, it's easy to ask for a fingerprint copy,
> and this can take just a few seconds (no need to even check for the
> government IDs).
> 

Thomas, that is your prerogative, but most of us accept the Sassaman
methods for mass key-signing. Going slower is probably a good idea,
but the method itself isn't a problem for most of us.



More information about the OpenStack-dev mailing list