I've just read through the archive, and I thought I'd toss in my two cents.
I'm currently in the NM queue. I already have a GPG key in the MIT keyserver and a scanned copy of the photograph page of my passport (I scanned it right after I applied, because I thought I might need it right away). The application guidelines aren't at all clear about what is done with the image. My impression was that the image would be used to help verify my identity to a Debian developer who the NM team put me in contact with and then discarded. That is, a copy of the image file would be supplied to a developer in my area who would meet with me; that developer could check the image against my real passport, and then sign my key. I was *not* under the impression that a permanent copy of my signed passport image would be stored by Debian on a long-term basis, and I don't approve of such a plan. Furthermore, I don't see how having a signed image on file helps Debian, and it clearly opens the door for potential abuses (identity theft). I apparently overlooked the telephone option for ``eye-ball'' verification. I don't know about you, but I'm sure I could fake up some ID and find a friend who would be willing to vouch that I was whoever I said I was. Unless the person confirming my identity was already known and trusted by the Debian Project, his testimony is worthless. If the person doing the verification was a Debian developer, they could sign my key. As far as I can see, the only meaningful way of verifying my identity and goodwill has to come from meeting other Debian developers in person, where they can get a sense of who I am and what I believe in from talking with me. Unfortunately, even living in a fairly large metropolitan area, I have no easy, guaranteed means of contacting local Debian developers. Rather than collecting photo-IDs that can't be validated without signed keys anyway, I think it would more useful for the Project to develop some method of facilitating contact between existing Debian developers who are willing to sign keys and prospective maintainers (or other members). As far as I can tell, the obvious ways to get your key signed by a Debian developer are 1. Attend a large Linux event, such as LinuxTag, OLS, and so forth, where Debian has a booth 2. Attend a smaller event (such as a local Linux User's Group meeting) and hope to run into someone who somehow gives away the fact that they're a Debian developer 3. Post a message to debian-devel asking to meet people in a specified city or region 4. Find someone on #debian on IRC who is nearby The problem with all four of these options is that all of the burden is placed on the keyseeker. If you want your key signed, you have to make it to a large meeting, get lucky and find someone at your local LUG, spam hundreds of developers, or keep announcing your geographic location and desire for having your key signed on IRC. The keyswapping process would be much easier if it were possible for keysigners to make their willingness to sign keys known to keyseekers. Here are four possible scenarios, and some suggestions for how they could be handled: 1. Developer Xander works in downtown Vancouver, and states that he's willing to meet people for lunch and exchange keys at a given restaurant every Wednesday at 1 PM. 2. NM applicant Yvonne is planning a trip to Seattle on September 9, and wonders if there are any developers who could sign her key. 3. Developer Zachary is planning a trip to Chicago, and is willing to sign keys for people he can meet with while he's there. 4. The Miami Linux Users Group has a regularly scheduled keyswapping party every month. Scenarios 1 and 2 (but not 3 and 4) could be satisfied by modifying the interface to the Debian developer database. As it stands, you can get a list of all the developers in your country, but most countries are far too large for a countrywide list to guarantee that anyone on the list will be anywhere near where you are or are planning to be. Even being able to search at the level of states or provinces wouldn't be much help. But if you could search by city, you'd have a much smaller list of candidates. And if you could further limit your search for people in a given city who were also willing to meet to swap keys, you'd be set. [Note: I wasn't able to find any documentation explaining why the developer database works the way it does. I'm assuming that there are privacy reasons for not making city-level searches available for everyone, but I think that with an ``opt-in'' approach for people willing to sign keys, such searches might be acceptable.] Another alternative would be to build a separate system to track willing keysigners and eager keyseekers. Such a system could also support scenarios 3 and 4. Either alternative would make it easier to satisfy the keysigning requirement, and eliminate the need for collecting images of photo-IDs. CMC P.S. If the Project merely wants a photograph to display somewhere (an idea that is, itself, questionable), I certainly wouldn't want that photograph to come from some official piece of ID. Identity theft aside, ID photos are almost universally horrible.... +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Behind the counter a boy with a shaven head stared vacantly into space, a dozen spikes of microsoft protruding from the socket behind his ear. +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ C.M. Connelly [EMAIL PROTECTED] SHC, DS +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+