[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: more developer identity stuff

Some time around  29 Aug 1998 04:28:23 EDT, 
         Gregory S. Stark wrote:
 > Raul Miller <rdm@test.legislate.com> writes:
 > > Ossama Othman <othman@astrosun.tn.cornell.edu> wrote:
 > > > Would the fact that I am listed in Cornell's online directory serve as a
 > ny
 > > > proof of identity, or will I still have to send copies of official
 > > > documents?
 > > 
 > > The problem is: how do we know that you're you?  Sending the
 > > official documents isn't really adequate (since we don't know
 > > that you're not sending someone else's official documents).
 > > And we can assume that you're in the cornell official directory
 > > because you have a cornell official email address.
 > > 
 > > At least if you send images derived from the official documents, and
 > > they correlate with your email address, it's fairly plausible that you're
 > > not being spoofed by someone else.
 > I don't understand this at all. I'm sure there are plenty among us (myself n
 > ot
 > included) who could hack up a convincing looking image of a Cornell ID given
 >  a
 > few hours in the Gimp. I don't see how this offers any authentication at all
 > .

Requiring anything else means the new-maintainer applicant would have to go 
through some inconveniences (paying for affidavit, traveling to meet another 
developer, etc.).  I am not sure we are ready to impose that requirement on 
new maintainers.  Anything other than a PGP signature can still be easily 
faked, and there are still a few debian developers left (I am sure) that will 
sign a person's key without following the correct procedures.

 > On the other hand, if you call up cornell's main number and ask for Ossama
 > Othman by name, you can be fairly sure it's the right person. At worst it
 > could be a roommate or someone else close that can be tracked down, not just
 > anybody on the internet with a good hand at forgery and possibly malicious
 > intent.

Well, we do call every new maintainer mostly to make sure they understand what 
debian is about, but the call also has the side effect of making sure that 
there is a person behind an email address.  Whether this person is who he 
claims to be is another matter.

 > I thought we were moving away from the scanned documents thing and towards
 > using verified phone numbers from phone books or such. Affadavits from notar
 > y
 > publics would be reasonable too, but not every country has an exact
 > equivalent.

Exactly, and I hear that some notaries are very easy to fool.

 > I hope people realize the ideal mechanism is a PGP signature directly by
 > another debian developper, or indirectly via people who are widely trusted t
 > o
 > understand PGP signatures and how to use them. With the current size and
 > diversity of the debian keyring it should be increasingly feasible to find
 > trust paths that join people.

Not if you are, e.g. in South America.  In most cases, getting a PGP signature 
requires traveling some distance and you can't expect all new-maintainer 
applicants to be able to do that in a timely fashion.

Proudly running Debian Linux! Linux vs. Windows is a no-Win situation....
Igor Grobman           igor@debian.org                 igor@igoria.net 

Reply to: