On Thu, 28 Jun 2001, Samuel Tardieu wrote:
> On 28/06, Martin Michlmayr wrote:
> | * Mark Brown <firstname.lastname@example.org> [20010628 16:53]:
> | > Does the GPG key need to be signed or does it just need to exist? I
> | > had been under the impression that other forms of identification
> | > were still possible, though severely discouraged.
> | Yeah, those forms still exist. The web site even says
> | Do you yet have a GPG key signed by a current developer or some
> | other photo ID scanned in and signed with your GPG key?
> | But I usually talk of 'signed keys' because that's the preferred
> | method and because it is usually possible to get a signature these
> | days.
> I also think that Debian should accept scanned IDs signed with a trusted
> X509 key (as the one issued for free by Thawte (http://www.thawte.com/)). This
> would allow people who went through the heavy Thawte id checking to have
> their identity trusted by the Debian project.
No. Signing the scanned ID adds *nothing* over accepting the x509 key by
itself. If faking a physical photo ID is easy, faking a scanned photo ID is
If we want to accept Thawte's id checking as sufficiently rigorous for our
purposes, if we want to trust Thawte, then there's no point in asking for
a scan signed with the ID. But I don't think we should accept Thawte IDs as
sufficient; the needs and goals of a PKI that uses CAs (such as Thawte) are
not entirely compatible with those of a peer-to-peer system (such as PGP).
 And is Thawte really so impervious to corruption that there's not even a
*remote* possibility of falsification? Remember that they're now owned by
Network Solutions. Anything is possible...