On Tue, Sep 17, 2002 at 01:52:43PM -0500, Steve Langasek wrote: > > You're right of course that it's possible to fake photo IDs in many > cases; however, photo IDs and physical meetings still protect against two > other weaknesses -- man-in-the-middle attacks, and actual visual > *identification* of the applicant. All told, I think the security > difference between the two techniques is much better than just marginal. Hmmm. It does protect against MitM attacks, in that particular case, though I can think of ways around this that don't require physical meetings. Granted, however, that we don't currently require those for photo signatures. Visual identification of the applicant isn't terribly meaningful; all it establishes is that they have a card with their picture on it. It says nothing about the veracity of that card, which is where the attack is in that case. However, see below. > Most people don't get signed into the ring by people from far distant > lands (say, California), either; the web is large enough now that > familiarity with the IDs of your own state, and possibly your neighboring > states, should be enough to prevent mere $1,000 forgeries. And when NMs > can expect to spend maybe half a year in the queue anyway, the > "reasonable effort" to contact a local DD should include a corresponding > increase in effort to be considered reasonable. This, I will grant, with one caveat: the question of whether DDs actually do know this, and whether they are actively aware of it. They should be - but are they? (And is this, perhaps, something to be noted in the FAQs, if not?) I don't know that I agree with spending half a year in the queue being "reasonable", but it certainly does appear to be the current expectation. Even with photo ID verified, I'm still trying to collect a signature to go with it. Just found someone who seems likely to be meetable at some point and dropped them private email, in fact. -- *************************************************************************** Joel Baker System Administrator - lightbearer.com lucifer@lightbearer.com http://users.lightbearer.com/lucifer/
Attachment:
pgpaBFgRfBWSq.pgp
Description: PGP signature