Re: Advocate/Sponsor
On Thu, 28 Jun 2001, Samuel Tardieu wrote:
> On 28/06, Martin Michlmayr wrote:
> | * Mark Brown <broonie@sirena.org.uk> [20010628 16:53]:
> | > Does the GPG key need to be signed or does it just need to exist? I
> | > had been under the impression that other forms of identification
> | > were still possible, though severely discouraged.
> | Yeah, those forms still exist. The web site even says
> | Do you yet have a GPG key signed by a current developer or some
> | other photo ID scanned in and signed with your GPG key?
> | But I usually talk of 'signed keys' because that's the preferred
> | method and because it is usually possible to get a signature these
> | days.
> I also think that Debian should accept scanned IDs signed with a trusted
> X509 key (as the one issued for free by Thawte (http://www.thawte.com/)). This
> would allow people who went through the heavy Thawte id checking to have
> their identity trusted by the Debian project.
No. Signing the scanned ID adds *nothing* over accepting the x509 key by
itself. If faking a physical photo ID is easy, faking a scanned photo ID is
ridiculously simple.
If we want to accept Thawte's id checking as sufficiently rigorous for our
purposes, if we want to trust Thawte[1], then there's no point in asking for
a scan signed with the ID. But I don't think we should accept Thawte IDs as
sufficient; the needs and goals of a PKI that uses CAs (such as Thawte) are
not entirely compatible with those of a peer-to-peer system (such as PGP).
Steve Langasek
postmodern programmer
[1] And is Thawte really so impervious to corruption that there's not even a
*remote* possibility of falsification? Remember that they're now owned by
Network Solutions. Anything is possible...
Reply to: