
DAM Key and identity requirements - pabs3
https://lists.debian.org/msgid-search/20200913071104.qcx76k25q5dpt2cn@enricozini.org
======
rendx
I don't understand why this needs a new "key endorsement" infrastructure -
isn't that exactly what certifications ("signing other people's keys") is
meant for? Why not use one of the existing OpenPGP signature types to
differentiate "old style" signatures from new "key endorsements"?

~~~
mjw1007
As the post says: « Each person has and keeps having their own policy for
signing keys. ».

Many people will only sign keys if they have confidence that the name on the
key is its controller's "real name" in some sense.

Maybe there'd be a way to model this new kind of endorsement in the
distributed database made up of keys and signatures (using signature types or
whatever), but it doesn't surprise me if the Debian account maintainers think
that a centralised database of assertions that exist for Debian's purposes is
going to give them an easier life.

~~~
rendx
This does not answer my question: You can still use the OpenPGP Signature
_scheme_ to implement this, and pick or invent a signature type to avoid the
mix-up with existing signatures. You can still enforce "A centralized
database", which in fact they _already do_ with the Debian keyring. Such
"endorsements" is exactly what OpenPGP signatures, and key upload protocols,
are made for.

