Re: more developer identity stuff
Some time around 29 Aug 1998 04:28:23 EDT,
Gregory S. Stark wrote:
> Raul Miller <email@example.com> writes:
> > Ossama Othman <firstname.lastname@example.org> wrote:
> > > Would the fact that I am listed in Cornell's online directory serve as a
> > > proof of identity, or will I still have to send copies of official
> > > documents?
> > The problem is: how do we know that you're you? Sending the
> > official documents isn't really adequate (since we don't know
> > that you're not sending someone else's official documents).
> > And we can assume that you're in the cornell official directory
> > because you have a cornell official email address.
> > At least if you send images derived from the official documents, and
> > they correlate with your email address, it's fairly plausible that you're
> > not being spoofed by someone else.
> I don't understand this at all. I'm sure there are plenty among us (myself n
> included) who could hack up a convincing looking image of a Cornell ID given
> few hours in the Gimp. I don't see how this offers any authentication at all
Requiring anything else means the new-maintainer applicant would have to go
through some inconveniences (paying for affidavit, traveling to meet another
developer, etc.). I am not sure we are ready to impose that requirement on
new maintainers. Anything other than a PGP signature can still be easily
faked, and there are still a few debian developers left (I am sure) that will
sign a person's key without following the correct procedures.
> On the other hand, if you call up cornell's main number and ask for Ossama
> Othman by name, you can be fairly sure it's the right person. At worst it
> could be a roommate or someone else close that can be tracked down, not just
> anybody on the internet with a good hand at forgery and possibly malicious
Well, we do call every new maintainer mostly to make sure they understand what
debian is about, but the call also has the side effect of making sure that
there is a person behind an email address. Whether this person is who he
claims to be is another matter.
> I thought we were moving away from the scanned documents thing and towards
> using verified phone numbers from phone books or such. Affadavits from notar
> publics would be reasonable too, but not every country has an exact
Exactly, and I hear that some notaries are very easy to fool.
> I hope people realize the ideal mechanism is a PGP signature directly by
> another debian developper, or indirectly via people who are widely trusted t
> understand PGP signatures and how to use them. With the current size and
> diversity of the debian keyring it should be increasingly feasible to find
> trust paths that join people.
Not if you are, e.g. in South America. In most cases, getting a PGP signature
requires traveling some distance and you can't expect all new-maintainer
applicants to be able to do that in a timely fashion.
Proudly running Debian Linux! Linux vs. Windows is a no-Win situation....
Igor Grobman email@example.com firstname.lastname@example.org