Re: more developer identity stuff
Some time around 29 Aug 1998 04:28:23 EDT,
Gregory S. Stark wrote:
>
> Raul Miller <rdm@test.legislate.com> writes:
>
> > Ossama Othman <othman@astrosun.tn.cornell.edu> wrote:
> > > Would the fact that I am listed in Cornell's online directory serve as a
> ny
> > > proof of identity, or will I still have to send copies of official
> > > documents?
> >
> > The problem is: how do we know that you're you? Sending the
> > official documents isn't really adequate (since we don't know
> > that you're not sending someone else's official documents).
> > And we can assume that you're in the cornell official directory
> > because you have a cornell official email address.
> >
> > At least if you send images derived from the official documents, and
> > they correlate with your email address, it's fairly plausible that you're
> > not being spoofed by someone else.
>
> I don't understand this at all. I'm sure there are plenty among us (myself n
> ot
> included) who could hack up a convincing looking image of a Cornell ID given
> a
> few hours in the Gimp. I don't see how this offers any authentication at all
> .
Requiring anything else means the new-maintainer applicant would have to go
through some inconveniences (paying for affidavit, traveling to meet another
developer, etc.). I am not sure we are ready to impose that requirement on
new maintainers. Anything other than a PGP signature can still be easily
faked, and there are still a few debian developers left (I am sure) that will
sign a person's key without following the correct procedures.
>
> On the other hand, if you call up cornell's main number and ask for Ossama
> Othman by name, you can be fairly sure it's the right person. At worst it
> could be a roommate or someone else close that can be tracked down, not just
> anybody on the internet with a good hand at forgery and possibly malicious
> intent.
Well, we do call every new maintainer mostly to make sure they understand what
debian is about, but the call also has the side effect of making sure that
there is a person behind an email address. Whether this person is who he
claims to be is another matter.
>
> I thought we were moving away from the scanned documents thing and towards
> using verified phone numbers from phone books or such. Affadavits from notar
> y
> publics would be reasonable too, but not every country has an exact
> equivalent.
Exactly, and I hear that some notaries are very easy to fool.
>
> I hope people realize the ideal mechanism is a PGP signature directly by
> another debian developper, or indirectly via people who are widely trusted t
> o
> understand PGP signatures and how to use them. With the current size and
> diversity of the debian keyring it should be increasingly feasible to find
> trust paths that join people.
Not if you are, e.g. in South America. In most cases, getting a PGP signature
requires traveling some distance and you can't expect all new-maintainer
applicants to be able to do that in a timely fashion.
--
Proudly running Debian Linux! Linux vs. Windows is a no-Win situation....
Igor Grobman igor@debian.org igor@igoria.net
Reply to: