On Tue, Sep 17, 2002 at 02:44:46PM -0600, Joel Baker wrote: > > Let me put it another way: they can forge their ID, but it's hard to > > forge their face. With a face-to-face meeting, if the person DOES have > > ulterior motives, we now have a much better chance of bringing them to > > justice afterwards than if both their identity and their face were > > unknown to us. > A forged ID can have any face on it you wish; that's sort of the point. > Sufficient disguise to fool someone face to face is even more trivial than > a fake ID. If someone's going to bother, spending $50 or less in materials > (or even a couple of hundred, for a completely nwe kit) isn't going to > bother them. > Again, if you're going to presume that there is an active attack, you have > to presume that the attacker places value on the result, and as such, is > willing to put both time and money into it. It does not follow that any attacker who places value on the result is skilled enough to achieve that result, given watchfulness on the part of the Debian community. :) Risk management is all about /minimizing/ risks, not eliminating them completely. If we can make a concerted effort to ensure that any risk of attacking the project carries with it a corresponding risk of the perpetrator being caught, I think it's warranted. A $50 kit isn't going to get you a disguise to believably mask the facial features that are most important in identifying people through such things as police sketches. $60 may get you a fake ID from a neighboring state, but the whole point is to tighten the web enough so that keysigners ARE familiar with the forms of IDs applicants use. There are enough risks with trying to conceal one's identity in a face-to-face meeting that stealing a key is probably easier... and that's a sign that we're doing things right, IMHO. Steve Langasek postmodern programmer  Whereas securing a fake Internet identity and photoshopping an ID is easier and safer yet by an order of magnitude, which is precisely why it shouldn't be accepted as a means of identification.
Description: PGP signature