On Thu, 28 Jun 2001, Samuel Tardieu wrote: > On 28/06, Martin Michlmayr wrote: > | * Mark Brown <[EMAIL PROTECTED]> [20010628 16:53]: > | > Does the GPG key need to be signed or does it just need to exist? I > | > had been under the impression that other forms of identification > | > were still possible, though severely discouraged.
> | Yeah, those forms still exist. The web site even says > | Do you yet have a GPG key signed by a current developer or some > | other photo ID scanned in and signed with your GPG key? > | But I usually talk of 'signed keys' because that's the preferred > | method and because it is usually possible to get a signature these > | days. > I also think that Debian should accept scanned IDs signed with a trusted > X509 key (as the one issued for free by Thawte (http://www.thawte.com/)). This > would allow people who went through the heavy Thawte id checking to have > their identity trusted by the Debian project. No. Signing the scanned ID adds *nothing* over accepting the x509 key by itself. If faking a physical photo ID is easy, faking a scanned photo ID is ridiculously simple. If we want to accept Thawte's id checking as sufficiently rigorous for our purposes, if we want to trust Thawte[1], then there's no point in asking for a scan signed with the ID. But I don't think we should accept Thawte IDs as sufficient; the needs and goals of a PKI that uses CAs (such as Thawte) are not entirely compatible with those of a peer-to-peer system (such as PGP). Steve Langasek postmodern programmer [1] And is Thawte really so impervious to corruption that there's not even a *remote* possibility of falsification? Remember that they're now owned by Network Solutions. Anything is possible...
