On Thu, Aug 03, 2000 at 04:47:31PM +0000, Dale Scheetz wrote:
> On Thu, 3 Aug 2000, Anand Kumria wrote:
> > Why do you continue to confuse the issue by bringing in the onerous task
> > furphy? It is all about trust.
> Well, I agree that I trust a keysigner, and that trust allows me to accept
> the signed image from the applicant.
This isn't true. Signing a key allows you to say that yes, the name in
the uid on the key really is the name of the guy who holds the key. If
I've signed someone's key after looking at their passport, that's all
I'm asserting. I'm not asserting that this person will represent himself
honestly in future, that he won't lie about how he looks, or where he
lives, or anything.
> I just can't understand the reluctance to satisfy this requirement except
> that it is viewed by some as being too hard. I cannot, for the life of me,
> figure out what harm there might be to the passport holder if I happen to
> have a digitized copy of his passport. Can someone explain to me just why
> the passport holder should feel threatened by the existance of an
> "uncontroled" copy of his passport?
Suppose some other project requires a digitized passport as one of its
entry requirements. Voila, as an AM, you can join that project as some
other person. Beyond that, passports are *very* sensitive documents. You
don't give them to other people long enough to make copies, physically
or digitally. A good fake passport (and a stolen bill, say) will let
you open bank accounts, get a drivers license, or whatever else.
*blink*
Even worse, is this clause: ``It is insufficient to sign the mail which
includes the photo-ID as a whole. You should make sure to sign the ID
image file itself.''
It should be completely satisfactory to send, in crypto-parlance:
S_k{ "This is my signed id for n-m@debian.org" ; ID }
. That is, the entire message (including the key) signed once, not
separately. Any thing else is open to replay attacks (someone trying
to join you up to a non-Debian project with similar identification
requirements, perhaps), which is not a Good Thing.
> > Applicant A Applicant B
> > - has public key - has public key, signed by Wichert*
> > - has image signed by - has no image file
> > own public key
> > The current procedure says that Applicant A has fullfilled the identity
> > requirements. Applicant B has not.
> Applicant A has NOT fulfilled the identity requirements!!!!
> Applicant A must, in addition to the above, provide a real, live, contact
> who can verify the picture against the name.
Errr. What's the point of this latter? If it's a phone call, pay some
guy to lie for you ``Hi, I'm new in town, and I'm joining this project,
and they need to call a friend to verify that I am who's I say I am,
so do you mind if I give them your number, and when they call asking
about me, you can say yup, I yam who I yam? </ObPopeye>''. If it's an
email, you just need to use a relatively anonymous account (hotmail,
or a remailer) and do it yourself.
What's the point of asking someone we don't have any reason to trust
anything about the process? We have no reason to believe him. He has
no reason not to lie 'til he's blue in the face.
And in essence, isn't this saying, effectively, that we'll trust any
Joe off the street just as much as a Debian developer? If a developer
says the guy's who he says he is, that's good enough. If some Joe off
the street does too, well, that's good enough too.
I don't see what this buys anyone at all. On the downside, it's a nuisance
for applicants, it's an inaccurate test for inclusion (we want to know
if they're any good at making packages, not scanning images), and it
makes the process take longer.
> The image file satisfied our need as a group to be able to identify our
> members.
How does it do this? What does it buy us apart from just having a picture
of questionable accuracy on file? What's the *point*?
> > 1. (somewhat) Speedier processing for those applicants are able to
> > convince existing Debian Developers to sign their key.
> We already have that, as they don't need to provide a phone contact for ID
> verification.
But they do for "evaluation and check-in", so what difference does
it make?
Cheers,
aj
--
Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. GPG signed mail preferred.
``We reject: kings, presidents, and voting.
We believe in: rough consensus and working code.''
-- Dave Clark
Attachment:
pgpTQI88Vozst.pgp
Description: PGP signature