[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Advocate/Sponsor

On Thu, 28 Jun 2001, Samuel Tardieu wrote:

> On 28/06, Martin Michlmayr wrote:
> | * Mark Brown <broonie@sirena.org.uk> [20010628 16:53]:
> | > Does the GPG key need to be signed or does it just need to exist?  I
> | > had been under the impression that other forms of identification
> | > were still possible, though severely discouraged.

> | Yeah, those forms still exist.  The web site even says

> |     Do you yet have a GPG key signed by a current developer or some
> |     other photo ID scanned in and signed with your GPG key?

> | But I usually talk of 'signed keys' because that's the preferred
> | method and because it is usually possible to get a signature these
> | days.

> I also think that Debian should accept scanned IDs signed with a trusted
> X509 key (as the one issued for free by Thawte (http://www.thawte.com/)). This
> would allow people who went through the heavy Thawte id checking to have
> their identity trusted by the Debian project.

No.  Signing the scanned ID adds *nothing* over accepting the x509 key by
itself.  If faking a physical photo ID is easy, faking a scanned photo ID is
ridiculously simple.

If we want to accept Thawte's id checking as sufficiently rigorous for our
purposes, if we want to trust Thawte[1], then there's no point in asking for
a scan signed with the ID.  But I don't think we should accept Thawte IDs as
sufficient; the needs and goals of a PKI that uses CAs (such as Thawte) are
not entirely compatible with those of a peer-to-peer system (such as PGP).

Steve Langasek
postmodern programmer

[1] And is Thawte really so impervious to corruption that there's not even a
    *remote* possibility of falsification?  Remember that they're now owned by
    Network Solutions.  Anything is possible...

Reply to: