Gentoo Archives: gentoo-project

From: Chris Reffett <creffett@g.o>
To: gentoo-project@l.g.o
Subject: Re: [gentoo-project] pre-GLEP: Gentoo OpenPGP web of trust
Date: Fri, 01 Feb 2019 00:42:18
Message-Id: c82828ce-9b23-1edf-89ca-84eeef5437c8@gentoo.org
On 1/31/2019 8:56 AM, Michał Górny wrote:
> > 3. Before signing a user identifier, make sure to: > > b. Verify the person's real name (at least for the user identifier > used for copyright purposes). This is usually done through > verifying an identification document with photograph. It is > a good idea to ask for the document type earlier, and read on > forgery protections used. > > In some cases, alternate methods of verifying the identity may be > used if they provide equivalent or better level of reliability. > This can include e.g. use of national online identification > systems or bank transfers. >
I concur with the other comments people have made about this being an unnecessarily restrictive burden, but let me pose a more philosophical question: _why should proving my real name matter_? It's irrelevant that I can prove my real name is in fact Chris Reffett, what's more important is that there is somebody claiming the identity "creffett" whom people (theoretically) trust as a developer. If I can't prove that that's my real name, does that actually make a difference as to my trustworthiness as a dev? It's the online "persona," if you will, that people trust, and I don't see how verifying my name changes that. Now if I were trying to use my PGP key as proof of my real-world identity, sure, it's a reasonable concern, but I expect that if I'm involved in something like that I would have to supply a scan of an identity document anyway. And since I know someone will bring it up: yes, that is in fact my real name. I'm just making a point. -creffett

Attachments

File name MIME type
signature.asc application/pgp-signature