On Tue, Sep 17, 2002 at 04:34:19PM +0200, Arvid Warnecke wrote: > On Tue, Sep 17, 2002 at 09:25:07AM -0500, Steve Langasek wrote: > > > I also had some trouble with him, because I have been told that a scaned > > > ID would be okay to do ID Check. He wanted me to get my key signed by > > > another developer. That would be no problem if I'd live in a big city > > > with another german developer, but here is none; I already checked that. > > > So, I'd like to know if there is a chance to get the process running > > > again? > > Who told you that it was ok to use a scanned ID? Scanned IDs should only > > be used in EXTREME cases: e.g., you live on the wrong end of a continent, > > or you cannot travel freely across national borders to meet developers. > > Even if there are no other developers in your town, there are enough > > German developers that it should be possible for you to find someone > > willing to meet with you if you try. > My advocate told me that this would be possible. So, I have to drive > lots of kilometres to get my key signed? What is so bad about a signed > and scanned ID? It's much easier to forge than a physical ID, and it doesn't prove that the person submitting the scanned ID actually looks like the person in the ID. It is also subject to man-in-the-middle attacks, because someone could replace your signature with their own while your email is in transit. In every way, scanned IDs are a vastly inferior means of establishing identity. Is driving some kilometers really too much to ask of someone we will be trusting with root access to the machines of every Debian user? Believe me, compared to a pleasant road trip, there will be times as a developer when you feel you have wasted much more for much less gain. :) Steve Langasek postmodern programmer
Attachment:
pgpzEgcYVhOMF.pgp
Description: PGP signature