On Tue, Sep 17, 2002 at 02:42:22PM -0500, Steve Langasek wrote: > On Tue, Sep 17, 2002 at 01:07:59PM -0600, Joel Baker wrote: > > > Visual identification of the applicant isn't terribly meaningful; all it > > establishes is that they have a card with their picture on it. It says > > nothing about the veracity of that card, which is where the attack is in > > that case. However, see below. > > Let me put it another way: they can forge their ID, but it's hard to > forge their face. With a face-to-face meeting, if the person DOES have > ulterior motives, we now have a much better chance of bringing them to > justice afterwards than if both their identity and their face were > unknown to us. A forged ID can have any face on it you wish; that's sort of the point. Sufficient disguise to fool someone face to face is even more trivial than a fake ID. If someone's going to bother, spending $50 or less in materials (or even a couple of hundred, for a completely nwe kit) isn't going to bother them. Again, if you're going to presume that there is an active attack, you have to presume that the attacker places value on the result, and as such, is willing to put both time and money into it. However, we're now, IMO, wandering into the realm of paranoia beyond what is reasonable. Someone REALLY wanting to Hack Debian(tm) is more likely to try to hack or social-engineer their way into a position of compromising an existing DD's key. > > > Most people don't get signed into the ring by people from far distant > > > lands (say, California), either; the web is large enough now that > > > familiarity with the IDs of your own state, and possibly your neighboring > > > states, should be enough to prevent mere $1,000 forgeries. And when NMs > > > can expect to spend maybe half a year in the queue anyway, the > > > "reasonable effort" to contact a local DD should include a corresponding > > > increase in effort to be considered reasonable. > > > This, I will grant, with one caveat: the question of whether DDs actually > > do know this, and whether they are actively aware of it. They should be - > > but are they? (And is this, perhaps, something to be noted in the FAQs, if > > not?) > > Yes, making sure that our developers are well-educated is always a > concern. Indeed. -- *************************************************************************** Joel Baker System Administrator - lightbearer.com lucifer@lightbearer.com http://users.lightbearer.com/lucifer/
Attachment:
pgphTKZLkxG33.pgp
Description: PGP signature