Re: more developer identity stuff

To: gsstark@mit.edu (Gregory S. Stark)
Cc: Raul Miller <rdm@test.legislate.com>, Ossama Othman <othman@astrosun.tn.cornell.edu>, debian-devel@lists.debian.org
Subject: Re: more developer identity stuff
From: Igor Grobman <igor@igoria.net>
Date: Sat, 29 Aug 1998 11:05:40 -0400
Message-id: <[🔎] E0zCmZQ-0000ZX-00@hmm.nothinbut.net>
In-reply-to: Your message of "29 Aug 1998 04:28:23 EDT." <[🔎] ycqww7syyxk.fsf@portX07.lanzen.net>

Some time around  29 Aug 1998 04:28:23 EDT, 
         Gregory S. Stark wrote:
 > 
 > Raul Miller <rdm@test.legislate.com> writes:
 > 
 > > Ossama Othman <othman@astrosun.tn.cornell.edu> wrote:
 > > > Would the fact that I am listed in Cornell's online directory serve as a
 > ny
 > > > proof of identity, or will I still have to send copies of official
 > > > documents?
 > > 
 > > The problem is: how do we know that you're you?  Sending the
 > > official documents isn't really adequate (since we don't know
 > > that you're not sending someone else's official documents).
 > > And we can assume that you're in the cornell official directory
 > > because you have a cornell official email address.
 > > 
 > > At least if you send images derived from the official documents, and
 > > they correlate with your email address, it's fairly plausible that you're
 > > not being spoofed by someone else.
 > 
 > I don't understand this at all. I'm sure there are plenty among us (myself n
 > ot
 > included) who could hack up a convincing looking image of a Cornell ID given
 >  a
 > few hours in the Gimp. I don't see how this offers any authentication at all
 > .

Requiring anything else means the new-maintainer applicant would have to go 
through some inconveniences (paying for affidavit, traveling to meet another 
developer, etc.).  I am not sure we are ready to impose that requirement on 
new maintainers.  Anything other than a PGP signature can still be easily 
faked, and there are still a few debian developers left (I am sure) that will 
sign a person's key without following the correct procedures.

 > 
 > On the other hand, if you call up cornell's main number and ask for Ossama
 > Othman by name, you can be fairly sure it's the right person. At worst it
 > could be a roommate or someone else close that can be tracked down, not just
 > anybody on the internet with a good hand at forgery and possibly malicious
 > intent.

Well, we do call every new maintainer mostly to make sure they understand what 
debian is about, but the call also has the side effect of making sure that 
there is a person behind an email address.  Whether this person is who he 
claims to be is another matter.

 > 
 > I thought we were moving away from the scanned documents thing and towards
 > using verified phone numbers from phone books or such. Affadavits from notar
 > y
 > publics would be reasonable too, but not every country has an exact
 > equivalent.

Exactly, and I hear that some notaries are very easy to fool.

 > 
 > I hope people realize the ideal mechanism is a PGP signature directly by
 > another debian developper, or indirectly via people who are widely trusted t
 > o
 > understand PGP signatures and how to use them. With the current size and
 > diversity of the debian keyring it should be increasingly feasible to find
 > trust paths that join people.

Not if you are, e.g. in South America.  In most cases, getting a PGP signature 
requires traveling some distance and you can't expect all new-maintainer 
applicants to be able to do that in a timely fashion.

-- 
Proudly running Debian Linux! Linux vs. Windows is a no-Win situation....
Igor Grobman           igor@debian.org                 igor@igoria.net

Reply to:

References:
- Re: more developer identity stuff
  - From: gsstark@mit.edu (Gregory S. Stark)

Prev by Date: Re: [RFC] Exim as standard Debian MTA?
Next by Date: anybody in Naperville (IL) (= three weeks away)
Previous by thread: Re: more developer identity stuff
Next by thread: Re: more developer identity stuff
Index(es):
- Date
- Thread