[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RE: [nm-admin] Identification step in the current scheme (Re: Fe

I am, admitadly a crypto mental midget, So feel free to 
blast me if I am way off base.  

It seems that something is left out of the proposal to not 
require an ID (or anything else) signed by the applicant.

As an example, I could acquire from db.d.o a public key for
someone that is signed by a maintainer. (key BA0A7EB5 perhaps), 
and attach it with an email of application.  The problem with 
this is that it is just a public key, available to almost anyone, 
and it does not demonstrate that I possess the private key of 
that key pair.

However, by signing an ID, or the email, I have demonstrated
that I do infact, possess that private key.

The above is perhaps a poor example as it uses an
existing maintainers key. But public keys are easily acquired,
and one could just apply under someone elses key.perhaps 
even someone with the same name.  Or simply make a mistake, and
apply with the wrong public key. Ultimately though, without
the private key, the person can not sign an upload.  They
might be able to gain maintainer status, and do other stupid

I have no strong feelings about if an ID should be required
for those who have already have a signature of a developer,
just that the applicant should not only provide their public
key, but also prove that they can sign something with their 
private key.

Just my thoughts.

Jim Westveer <jwest@

On 30-Jul-2000 Taketoshi Sano wrote:
> Hi.
> Since the new list debian-newmaint-discuss was created (Thanks list-admins!)
> I think this topic should be moved on to there.  For members in the NM team
> who has not subscribed the new list, I sent the copy of this mail to the old
> nm-admin list.
> In <20000731005548.A12428@ftoomsh.progsoc.uts.edu.au>,
>   on Mon, 31 Jul 2000 00:55:48 +1000,
>  Anand Kumria <wildfire@progsoc.uts.edu.au> wrote:
>> On Sun, Jul 30, 2000 at 02:22:09PM +0200, Wichert Akkerman wrote:
>> > Previously Anand Kumria wrote:
>> > > Applicants whose keys are signed by existing developers must still
>> > > submit a photographic ID of themselves.
>> > 
>> > This is not true as far as I know.
>> Well two developers have already pointed out otherwise; plus this:
>> <URL: http://www.debian.org/devel/join/nm-step2>
>> It talks about an "eyeball" and "handshake" portion (whatever they are)
>> To satisfy the "handshake" portion you are supposed to provide a key
>> and an image signed with that key.
> Yes.  I wrote it there since I have thought that it is required.  
> If this is not true anymore, then I will happily rewrite it.  
> Can I do that ?
>> To satisfy the "eyeball" portion one means is to have your key signed by
>> another developer. This is, as far as know, how all the AMs have read and 
>> interupreted this.  In fact I don't recall anyone using clauses 2 or 3
>> to close the "eyeball" loop.
> There was a "test case" done by Julian Gilbey for his applicant,
> where the applicant does not have the key signed by Debian member
> initially. But the applicant eventually got the signature on his 
> key, so it can be classified as one of cases which used clause 1.
>> I think the identification step should be in two halves:
>> - An applicant must have a public key.
>> 1. The key must be acceptable to GNU Privacy Guard (GnuPG) without
>> additional (non-free) modules
>> 2. The key must be self-signed
>> If an applicants key is already signed by an existing Debian Developer, the
>> identification step is deemed complete. Continue with Step 3 and exit Step
>> 2.
>> - An applicant should provide another means of identifying themselves
>> This applies if the applicants key is not already signed by an existing
>> Debian Developer. Some possible means are:
>> 1. A signed image of themselves
>> 2. A reference by someone known to both the applicant and the AM (e.g.
>> Linus)
>> 3. (potentially) A well known signatory on their public key (e.g. RMS)
>> 4. Some other means acceptable to both the applicant and the AM.
>> I list 3 as a potential as this possibility does not currently exist
>> in closing the "eyeball" section.
> For the record, I won't object this proposal (in fact, I prefer this).
> I know the decision is not under my control at all, of course.
> -- 
>   Taketoshi Sano:
> <sano@debian.org>,<sano@debian.or.jp>,<kgh12351@nifty.ne.jp>
> _______________________________________________
> nm-admin mailing list  -  nm-admin@cipsa.physik.uni-freiburg.de
> http://cipsa.physik.uni-freiburg.de/mailman/listinfo/nm-admin

Jim Westveer <jwest@netnw.com>
"Bother," said Pooh as he struggled with sendmail.cf.
"It never does quite what I want."
"I wish Christopher Robin were here.". 
E-Mail: jwest@netnw.com               jwest@debian.org
work :  425-591-3002                  Date: 30-Jul-2000
home    425-392-0141                  Time: 10:39:50
pgp-key 0x36129171                    gpg-key 0x9823336C  

Reply to: