On Thu, 28 Jun 2001, Duncan Findlay wrote:
> I think that now an advocate is needed to simply say that they agree with
> your application, and be a mentor of sorts.
> After an advocate is found, an application manager is assigned.
> I don't think that there is any requirement for an actual physical meeting.
> Photo ID appears to be acceptible.
Certainly not. Photo IDs can not only be faked, they can also be stolen.
Without physically meeting you and seeing you, how do we know that you're
really the person in the picture?
There are other methods of ascertaining identity without the benefit of a
physical meeting, but they usually don't involve photo IDs -- and even if
they're used for satisfying the identification requirement of the NM process,
they probably shouldn't be used as justification for signing a GPG key.
It's my personal opinion that, if we are going to empower all Debian
developers to sign other people into the Debian keyring (and consequently into
the global Web of Trust), we should also require them to demonstrate a clear
understanding of PKI as part of the NM process. I think there are a lot of
NMs who, if they don't already know a lot about PKI before they become DD's,
never learn more than the mechanics of signing a key -- and that's ok, until
we start encouraging them to go out and sign other people's keys. :)