On Sat, May 27, 2006 at 10:19:57AM -0700, Thomas Bushnell BSG wrote: > Paul Johnson <[EMAIL PROTECTED]> writes:
> > I would be more inclined to do that to the people who signed his key > > based on the Transnational Republic ID. > So, who are those people? Is Manoj one of them? It seems that I am one of them. After the fact, I do have a vague recollection of being presented an ID of unusual issuance, which may or may not have been Martin's; and I am told I did not ask for a second ID as I should have. Clearly, there is serious doubt that my ID checking standards that day were what they should have been, whether due to fatigue, or a feeling of being rushed due to the format, or other factors. I am grateful to Martin for bringing this to my attention, though I suppose others won't feel the same way given that it's my intention now to revoke all signatures I issued based on that KSP barring exceptional cases in which I can explicitly recall enough details of the signee's ID to confirm that I have checked it correctly. I am not asserting that I should be able to detect any and all forgeries of official IDs; that's definitely beyond my mortal means. But I should not be accepting forms of ID that I can't actually *recognize*, and for forms that I *do* recognize, there are almost universally legal penalties for forging such documents. There is no law against private-issue IDs with a person's name and picture on them, which means that if I allow myself to sign a key based on such ID, the cost to a potential attacker to get into the web of trust -- even the Debian web of trust, not the global web of trust in general -- is way too low, way lower than the cost that any of us should be able to enforce if we prioritize security over keyrankings the way we ought to. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/
signature.asc
Description: Digital signature
