Photo ID (was Re: [nm-admin] Identification step ...)
Oliver Elphick wrote:
>
> Anand Kumria wrote:
> >I don't know when you asked Dale but the procedures are quite clear that
> >"An image file of an appropriate piece of photo-identification" (from
> ><URL: http://www.debian.org/devel/join/nm-step2> is required.
>
> Yes! We want (as a group) to see the id. The fact that a developer has
> signed the key means we don't need to take any further steps to verify
> that the id belongs to the applicant (in other words, we DO trust
> developers to follow proper procedures when signing keys).
>
> Why do you have such a big problem with the idea of supplying ids?
> (which Debian has required at least since 1996/7 when I joined.)
I don't think that Anand has a problem with supplying ID. I think
his objection is to making a requirement of supplying ID two
different, redundant ways: 1) when showing ID to a Developer,
who shall subsequently sign the applicants public key(s),
and 2) sending in a pic, the file of which is signed with a
verifiable key.
When I applied, and read the steps to take, I interpreted the
instructions to mean IF I couldn't meet with a Developer to
verify my identity, THEN send in a photo id, the file being
signed, with the former being the preferable method to
close the "eyeball loop", and the latter being a grudgingly
accepted alternate method. I'm slightly surprised to find
either a change, or that I was mistaken, as I've taken no
steps to scan in a photo of myself. However, I have no
problem with it; I plan on purchasing a SANE-supported
scanner, anyhow.
Nevertheless, I find that the scanned & signed photo,
as described in recent traffic, as opposed to the prior
legal picture ID requirement, to be less useful: what's
going to prevent someone from scanning in a picture
of anyone, signing and sending it? How're you going
to verify that it is the pic of the sender? For that
matter, even using DL's and PP's are not reliable in
scanned format, since the pic can be hacked with the GIMP.
One stated need is for security: how else could there
be a holding responsible if there is no scanned ID? What
if a Trojan is uploaded? How will Debian protect itself?
Unless these photo IDs are being collected to assist LEOs,
scanned photos will afford no protection. If these are
going to be, effectively, mugshots,for the reason above,
this is useless. Debian has to rely on the No Warranty
clauses of the licenses of the software distributed.
I recommend _asking_ for scanned photos, not making it
a requirement, except as alternative to physically and
visibly meeting a "well known" (i.e. Developer as)
signatory. In fact, I think it would be cool to have
a page with thumbnails to the pics of _every_ Developer.
However, if it remains a requirement, in addition to having
my keys signed by _two_ different Developers, so be it;
I'll jump through whatever hoops are necessary.
I am Wannabe; Hear me roar,
in too many decibels to ignore,
until I make my AM understand:
>Hunh<!? Oh, sorry, Helen...
--
Bolan.Meek@wcom.com 972-729-5387
bolan@koyote.com (home ph. on Q) http://www.koyote.com/users/bolan
RE: xmailtool http://www.koyote.com/users/bolan/xmailtool/index.html
RMS of Borg: "Resistance is futile; you shall be freed."
Reply to: