[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Trouble becoming a member

On Tue, Sep 17, 2002 at 02:44:46PM -0600, Joel Baker wrote:

> > Let me put it another way: they can forge their ID, but it's hard to
> > forge their face.  With a face-to-face meeting, if the person DOES have
> > ulterior motives, we now have a much better chance of bringing them to
> > justice afterwards than if both their identity and their face were
> > unknown to us.

> A forged ID can have any face on it you wish; that's sort of the point.
> Sufficient disguise to fool someone face to face is even more trivial than
> a fake ID. If someone's going to bother, spending $50 or less in materials
> (or even a couple of hundred, for a completely nwe kit) isn't going to
> bother them.

> Again, if you're going to presume that there is an active attack, you have
> to presume that the attacker places value on the result, and as such, is
> willing to put both time and money into it.

It does not follow that any attacker who places value on the result is
skilled enough to achieve that result, given watchfulness on the part of
the Debian community. :)  Risk management is all about /minimizing/
risks, not eliminating them completely.  If we can make a concerted
effort to ensure that any risk of attacking the project carries with it a
corresponding risk of the perpetrator being caught, I think it's

A $50 kit isn't going to get you a disguise to believably mask the facial
features that are most important in identifying people through such
things as police sketches.  $60 may get you a fake ID from a neighboring
state, but the whole point is to tighten the web enough so that
keysigners ARE familiar with the forms of IDs applicants use.  There are
enough risks with trying to conceal one's identity in a face-to-face
meeting that stealing a key is probably easier[0]... and that's a sign
that we're doing things right, IMHO.

Steve Langasek
postmodern programmer

[0] Whereas securing a fake Internet identity and photoshopping an ID is
easier and safer yet by an order of magnitude, which is precisely why it
shouldn't be accepted as a means of identification.

Attachment: pgppkA56O35Ma.pgp
Description: PGP signature

Reply to: