Re: Trouble becoming a member

To: Steve Langasek <vorlon@netexpress.net>
Cc: debian-newmaint@lists.debian.org
Subject: Re: Trouble becoming a member
From: "Joel Baker" <lucifer@lightbearer.com>
Date: Tue, 17 Sep 2002 13:07:59 -0600
Message-id: <[🔎] 20020917190759.GA3765@lightbearer.com>
In-reply-to: <[🔎] 20020917185243.GC26313@netexpress.net>
References: <[🔎] 20020917140443.GA28527@hasseroeder.heim2.tu-clausthal.de> <[🔎] 20020917142505.GB24886@netexpress.net> <[🔎] 20020917143419.GA29215@hasseroeder.heim2.tu-clausthal.de> <[🔎] 20020917145424.GB5912@matilda.phys.uu.nl> <[🔎] 20020917180639.GA2052@lightbearer.com> <[🔎] 20020917185243.GC26313@netexpress.net>

On Tue, Sep 17, 2002 at 01:52:43PM -0500, Steve Langasek wrote:
> 
> You're right of course that it's possible to fake photo IDs in many
> cases; however, photo IDs and physical meetings still protect against two
> other weaknesses -- man-in-the-middle attacks, and actual visual
> *identification* of the applicant.  All told, I think the security
> difference between the two techniques is much better than just marginal.

Hmmm. It does protect against MitM attacks, in that particular case,
though I can think of ways around this that don't require physical
meetings. Granted, however, that we don't currently require those for photo
signatures.

Visual identification of the applicant isn't terribly meaningful; all it
establishes is that they have a card with their picture on it. It says
nothing about the veracity of that card, which is where the attack is in
that case. However, see below.

> Most people don't get signed into the ring by people from far distant
> lands (say, California), either; the web is large enough now that
> familiarity with the IDs of your own state, and possibly your neighboring
> states, should be enough to prevent mere $1,000 forgeries.  And when NMs
> can expect to spend maybe half a year in the queue anyway, the
> "reasonable effort" to contact a local DD should include a corresponding
> increase in effort to be considered reasonable.

This, I will grant, with one caveat: the question of whether DDs actually
do know this, and whether they are actively aware of it. They should be -
but are they? (And is this, perhaps, something to be noted in the FAQs, if
not?)

I don't know that I agree with spending half a year in the queue being
"reasonable", but it certainly does appear to be the current expectation.
Even with photo ID verified, I'm still trying to collect a signature to go
with it. Just found someone who seems likely to be meetable at some point
and dropped them private email, in fact.
-- 
***************************************************************************
Joel Baker                           System Administrator - lightbearer.com
lucifer@lightbearer.com              http://users.lightbearer.com/lucifer/

Attachment: pgpaBFgRfBWSq.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: Trouble becoming a member
  - From: Steve Langasek <vorlon@netexpress.net>

References:
- Trouble becoming a member
  - From: Arvid Warnecke <arvid@nostalgix.org>
- Re: Trouble becoming a member
  - From: Steve Langasek <vorlon@netexpress.net>
- Re: Trouble becoming a member
  - From: Arvid Warnecke <arvid@nostalgix.org>
- Re: Trouble becoming a member
  - From: Bas Zoetekouw <bas@debian.org>
- Re: Trouble becoming a member
  - From: "Joel Baker" <lucifer@lightbearer.com>
- Re: Trouble becoming a member
  - From: Steve Langasek <vorlon@netexpress.net>

Prev by Date: Re: Trouble becoming a member
Next by Date: Re: Trouble becoming a member
Previous by thread: Re: Trouble becoming a member
Next by thread: Re: Trouble becoming a member
Index(es):
- Date
- Thread