[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: more developer identity stuff

Raul Miller <rdm@test.legislate.com> writes:

> Ossama Othman <othman@astrosun.tn.cornell.edu> wrote:
> > Would the fact that I am listed in Cornell's online directory serve as any
> > proof of identity, or will I still have to send copies of official
> > documents?
> The problem is: how do we know that you're you?  Sending the
> official documents isn't really adequate (since we don't know
> that you're not sending someone else's official documents).
> And we can assume that you're in the cornell official directory
> because you have a cornell official email address.
> At least if you send images derived from the official documents, and
> they correlate with your email address, it's fairly plausible that you're
> not being spoofed by someone else.

I don't understand this at all. I'm sure there are plenty among us (myself not
included) who could hack up a convincing looking image of a Cornell ID given a
few hours in the Gimp. I don't see how this offers any authentication at all.

On the other hand, if you call up cornell's main number and ask for Ossama
Othman by name, you can be fairly sure it's the right person. At worst it
could be a roommate or someone else close that can be tracked down, not just
anybody on the internet with a good hand at forgery and possibly malicious

I thought we were moving away from the scanned documents thing and towards
using verified phone numbers from phone books or such. Affadavits from notary
publics would be reasonable too, but not every country has an exact

I hope people realize the ideal mechanism is a PGP signature directly by
another debian developper, or indirectly via people who are widely trusted to
understand PGP signatures and how to use them. With the current size and
diversity of the debian keyring it should be increasingly feasible to find
trust paths that join people.


Reply to: