Re: [nm-admin] Identification step in the current scheme (Re: Fear the new maintainer process)
On Wed, 2 Aug 2000, Matthew Vernon wrote:
> Dale Scheetz writes:
>
> I think that either Dale or myself has misunderstood something here,
> since his argument makes little sense from my (albeit limited)
> knowledge of how PGP/GPG keysigning works. I've kept the quoted text
> below because it seems to me to be the most succinct form of his
> argument. To clarify, this argument only applies to people posessing a
> key signed by a Debian developer.
>
> AIUI, the purpose of PGP/GPG keysigning is for the signer to say "this
> key belongs to the signee, and I have seen ID that satisfies me to
> this extent". Typically, it also means "I trust the signee to sign
> others' keys".[1]
So far so good ;-)
>
> Therefore, what does it matter that I can't remember the face of the
> person whose key I signed six months ago? I am still happy that I saw
> good ID, and that if I get mail signed/encrypted with that key that it
> comes from that person.
>
While your happiness _is_ important, just how does it help the
administrators of Debian? I haven't seen his face, nor has the DAM. You
are the lucky one who _has_ seen his face, but we know we can not ask you
at this point if the face matches the name. We agree that the activity
actually happened at the same time we agree that we can't re-create the
event accurately in memory.
> I reject the assertion that Debian needs a photo of the person (so
Why? You don't reject the requirement for showing your ID when another
individual asks to sign your key. How is showing your picture to the
administrative members of Debian any different?
> that we can meet them at the airport???[2]). Debian does not have a
> photograph of me, and I intend to keep it that way.
I honestly don't understand this primative instinct to hide your face.
More to the point, I don't understand this existing in a "social" group
like Debian!
What threat do you experience from having an image of your face on record
with this group to which you belong? Will you only come to a conference in
disquise? Why is one acceptable and the other anathema?
>
> So, given that it is unecessary for our web of trust for the applicant
> to provide an image, and that some applicants may be unhappy with
> Debian keeping a photograph of them, I conclude that the requirement
> for an image file in the case of people with keys signed by a debian
> developer should be removed.
So far, to my knowledge, not one applicant has refused to supply such
information. If one such example exists, I would argue that this clause
should, in fact, be executed, rejecting such applications, simply because
there are so many examples of folks willing to show their face.
This photo isn't about a "web of trust". That requirement is satisfied by
the key. The photo is about being able to identify our membership. As your
key fingerprint is not required to be barcoded onto your hand, the image
of your face is a good alternative.
Luck,
Dwarf
--
_-_-_-_-_- Author of "The Debian Linux User's Guide" _-_-_-_-_-_-
aka Dale Scheetz Phone: 1 (850) 656-9769
Flexible Software 11000 McCrackin Road
e-mail: dwarf@polaris.net Tallahassee, FL 32308
_-_-_-_-_-_- See www.linuxpress.com for more details _-_-_-_-_-_-_-
Reply to: