Re: [Debconf-discuss] using OpenPGP notations to indicate keysigning practices
Ana Guerrero dijo [Thu, Jun 25, 2009 at 12:04:37PM +0200]: On Tue, Jun 23, 2009 at 06:23:31PM -0700, Russ Allbery wrote: For example, I think US drivers' licenses are only verifiable by someone who's lived in that state or otherwise seen drivers' licenses from that state. I really dislike seeing people use them at key signings and would rather see people use passports. I suspect you're going to see a ton of them in the 2010 Debconf key signing, though, since a lot of people in the US simply never bother to get a passport. FWIW, you will see plenty of national ID from all the european countries in DebConf. I do expect most of germans, frenchs, italian, belgian, etc just travelling with their cards. They do not need their passports to come. European national ID cards have enough security measures, and are easily recognizable as such. And also, standing on a big KSP, I expect other people to be more familiar than myself with what an European ID looks like - and they should raise their voice in case it is not valid. Even though the Transnational Republic ID _does_ look like a legal European ID card, I can produce more than one document I have around here (legal, no counterfeits!) that look very similar to a passport. And the people who has signed my key know that my current passport _is_ easily counterfeitable. (Yes, it is at the end of its validity period, it expires 2009/12, and I expect to travel to Spain with a new one). Greetings, -- Gunnar Wolf • gw...@gwolf.org • (+52-55)5623-0154 / 1451-2244 -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: [Debconf-discuss] using OpenPGP notations to indicate keysigning practices
On 2009-06-25, Bernd Eckenfels bernd...@eckenfels.net wrote: In article 20090625100437.ga10...@ana.debian.net you wrote: FWIW, you will see plenty of national ID from all the european countries in DebConf. I do expect most of germans, frenchs, italian, belgian, etc just travelling with their cards. They do not need their passports to come. European ID cards are more like a passport, whereas a US ID is a driver license. (In addition to that national driver licenses of european countries are much less usefull for this purpose unless they are the new euro-style license check cards) But even then I don't think they are accepted as some sort of ID in Europe. Kind regards, Philipp Kern -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: [Debconf-discuss] using OpenPGP notations to indicate keysigning practices
Philipp Kern tr...@philkern.de (26/06/2009): On 2009-06-25, Bernd Eckenfels bernd...@eckenfels.net wrote: European ID cards are more like a passport, whereas a US ID is a driver license. (In addition to that national driver licenses of european countries are much less usefull for this purpose unless they are the new euro-style license check cards) But even then I don't think they are accepted as some sort of ID in Europe. Driver licenses? Depends. At least from my limited experience in France with a French driver license, it's possible to be ID'd with it to pass an exam, but not to vote. One reason I was given for the latter is that the nationality isn't included on the driver license. Mraw, KiBi. signature.asc Description: Digital signature
Re: [Debconf-discuss] using OpenPGP notations to indicate keysigning practices
David Moreno dijo [Thu, Jun 25, 2009 at 09:27:28AM -0400]: Driving licenses are expressly not accepted as official ID documents in Mexico, even if they are government-issued. That just begs the question: official to whom, and why? Official for the government for procedures such as state and federal elections or to prove citizenship to get passport. ...Or as an acceptable identification to handle your money at the bank, or to make government tramits, or... -- Gunnar Wolf • gw...@gwolf.org • (+52-55)5623-0154 / 1451-2244 -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: [Debconf-discuss] using OpenPGP notations to indicate keysigning practices
On Tue, Jun 23, 2009 at 06:23:31PM -0700, Russ Allbery wrote: For example, I think US drivers' licenses are only verifiable by someone who's lived in that state or otherwise seen drivers' licenses from that state. I really dislike seeing people use them at key signings and would rather see people use passports. I suspect you're going to see a ton of them in the 2010 Debconf key signing, though, since a lot of people in the US simply never bother to get a passport. FWIW, you will see plenty of national ID from all the european countries in DebConf. I do expect most of germans, frenchs, italian, belgian, etc just travelling with their cards. They do not need their passports to come. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: [Debconf-discuss] using OpenPGP notations to indicate keysigning practices [was: Re: GPG keysigning?]
On Wed, Jun 24, 2009 at 09:30:52AM +0800, Paul Wise wrote: Would subkeys help in this scenario? (hint hint, some good docs about real-world subkey usage are needed). Subkeys cannot (to my knowledge) be used for certification (i.e. key signing). At least not with stock gnupg. Kind regards, Philipp Kern -- .''`. Philipp KernDebian Developer : :' : http://philkern.de Stable Release Manager `. `' xmpp:p...@0x539.de Wanna-Build Admin `-finger pkern/k...@db.debian.org signature.asc Description: Digital signature
Re: [Debconf-discuss] using OpenPGP notations to indicate keysigning practices
On Thu, Jun 25, 2009 at 12:04:37PM +0200, Ana Guerrero wrote: FWIW, you will see plenty of national ID from all the european countries in DebConf. I do expect most of germans, frenchs, italian, belgian, etc just travelling with their cards. They do not need their passports to come. I do intend, however, to take mine just for the keysigning, and I'd say that most other participants who already have a passport would want to do the same. Ciao, Enrico -- GPG key: 4096R/E7AD5568 2009-05-08 Enrico Zini enr...@enricozini.org signature.asc Description: Digital signature
Re: [Debconf-discuss] using OpenPGP notations to indicate keysigning practices
On Jun 24, 2009, at 5:43 PM, Peter Eisentraut wrote: On Wednesday 24 June 2009 16:58:52 Gunnar Wolf wrote: Driving licenses are expressly not accepted as official ID documents in Mexico, even if they are government-issued. That just begs the question: official to whom, and why? Official for the government for procedures such as state and federal elections or to prove citizenship to get passport. David Moreno http://twitter.com/damog -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: [Debconf-discuss] using OpenPGP notations to indicate keysigning practices
In article 20090625100437.ga10...@ana.debian.net you wrote: FWIW, you will see plenty of national ID from all the european countries in DebConf. I do expect most of germans, frenchs, italian, belgian, etc just travelling with their cards. They do not need their passports to come. European ID cards are more like a passport, whereas a US ID is a driver license. (In addition to that national driver licenses of european countries are much less usefull for this purpose unless they are the new euro-style license check cards) Gruss Bernd -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: [Debconf-discuss] using OpenPGP notations to indicate keysigning practices [was: Re: GPG keysigning?]
In article 20090624003554.gf9...@kunpuu.plessy.org you wrote: that would be very welcome. This whole discussion confuses me and I do not understand if Debian as a project accepts signatures that are not based on a passport or an ID card. For instance, I have used drivers licenses or social security cards as well, is that acceptable ? Debian has no way (yet) to tell them apart. In the past debian just relied on some trust, just to make sure that a submitted key was not intercepted. Additional requirements (up to avoiding deniability) have been added later on (and I think never made official policy?). There are existing key signatures older than any official debian satement between developer keys so, all of them would have to be redone to be fully trusted (and annotated). Anyway, I would suggest not to get into the Business of setting up a PKI Hierachy and having a RA who can gurantee gov. idendity world wide. But if you still want to, you can find some information on ID checking and policy in the CAcert assurer handbook. CAcert is currently improving all kinds of details in this area (in order to get Audited for Inclusion in Mozilla Truststores) http://wiki.cacert.org/wiki/AssuranceHandbook2 http://wiki.cacert.org/wiki/AcceptableDocuments Note that Assurance for CAcert does not validate the email, since this is not always practicable in face to face meetings (and has all kinds of problems like company accounts which get revoked). The CAcert account can be linked to a email address (and currently they are not rechecked). CAcert can sign PGP keys for assured members. Greetings Bernd -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: [Debconf-discuss] using OpenPGP notations to indicate keysigning practices [was: Re: GPG keysigning?]
On Tue, Jun 23, 2009 at 08:52:20PM +0200, martin f krafft wrote: Additional metadata, e.g. number and expiration date would be helpful. Actually that'd be illegal in Germany -- ID numbers of identification documents may not be stored in databases, with exactly two exceptions: - the issuing office can map (name, address, date of birth) - number for inclusion in - the list of stolen documents, kept by the police (this list has no names) Simon -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: [Debconf-discuss] using OpenPGP notations to indicate keysigning practices
On Tue, Jun 23, 2009 at 07:55:57PM -0700, Don Armstrong wrote: On Tue, 23 Jun 2009, Russ Allbery wrote: For example, I think US drivers' licenses are only verifiable by someone who's lived in that state or otherwise seen drivers' licenses from that state. Nah; there's a guide published[1] which has all of them. [If you're a bar tender or a notary, you have to be able to check them.] But from an international POV I don't know if that's very useful. Would you accept 50 different IDs issued by, say, Portugal, in a KSP? Sami signature.asc Description: Digital signature
Re: [Debconf-discuss] using OpenPGP notations to indicate keysigning practices
Russ Allbery dijo [Tue, Jun 23, 2009 at 06:23:31PM -0700]: I will always challenge the government-issued ID due to the vastly differing standards across the globe, but travel document is actually a term that someone uttered earlier, which raises the bar a lot higher. For example, I think US drivers' licenses are only verifiable by someone who's lived in that state or otherwise seen drivers' licenses from that state. I really dislike seeing people use them at key signings and would rather see people use passports. I suspect you're going to see a ton of them in the 2010 Debconf key signing, though, since a lot of people in the US simply never bother to get a passport. Driving licenses are expressly not accepted as official ID documents in Mexico, even if they are government-issued. -- Gunnar Wolf - gw...@gwolf.org - (+52-55)5623-0154 / 1451-2244 PGP key 1024D/8BB527AF 2001-10-23 Fingerprint: 0C79 D2D1 2C4E 9CE4 5973 F800 D80E F35A 8BB5 27AF -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: [Debconf-discuss] using OpenPGP notations to indicate keysigning practices
On Wednesday 24 June 2009 16:58:52 Gunnar Wolf wrote: Driving licenses are expressly not accepted as official ID documents in Mexico, even if they are government-issued. That just begs the question: official to whom, and why? Ultimately, the office clerk, the bar tender, or the key signer will have to use best judgement whether the evidence produced establishes a link between a person and an identity. Of course the bar tender for example might have a legal framework about what to accept and not to accept. But I don't think it is going to be successful to enforce a law like that for key signing. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: [Debconf-discuss] using OpenPGP notations to indicate keysigning practices [was: Re: GPG keysigning?]
also sprach Daniel Kahn Gillmor d...@fifthhorseman.net [2009.06.23.1949 +0200]: -- govt-iss...@wot.debian.org might be a distinguished name identifying the apparent issuer of any validated identification, such as /C=US/ST=NY/ for a NY State (USA) driver's license and /C=US/ for an American passport. If you checked two IDs, you could include this notation twice. Maybe this should somehow include the type of document as well? Additional metadata, e.g. number and expiration date would be helpful. On the other hand, just some clear guidelines that participants HAVE TO abide by, would help, e.g. a commitment to a signing policy for all keys that are to appear in a Debian keyring. I will always challenge the government-issued ID due to the vastly differing standards across the globe, but travel document is actually a term that someone uttered earlier, which raises the bar a lot higher. Cheers, -- .''`. martin f. krafft madd...@debconf.org : :' : DebConf orga team; press officer `. `'` `- DebConf9: 24-30 Jul 2009, Extremadura, ES: http://debconf9.debconf.org i believe that the moment is near when by a procedure of active paranoiac thought, it will be possible to systematise confusion and contribute to the total discrediting of the world of reality. -- salvador dali digital_signature_gpg.asc Description: Digital signature (see http://martin-krafft.net/gpg/)
Re: [Debconf-discuss] using OpenPGP notations to indicate keysigning practices [was: Re: GPG keysigning?]
On 06/23/2009 02:52 PM, martin f krafft wrote: Additional metadata, e.g. number and expiration date would be helpful. This would certainly be useful from the smiting perspective, but might raise privacy concerns if people don't want their passport number (or whatever) bound to their OpenPGP keys, or even distributed within the debian project. On the other hand, just some clear guidelines that participants HAVE TO abide by, would help, e.g. a commitment to a signing policy for all keys that are to appear in a Debian keyring. I think that misses a critical point; i want to use my OpenPGP key for a variety of purposes both in and out of debian. I consider it a baseline tool for managing my digital identity. While i'm happy to obey debian-specific guidelines for debian-specific purposes, i have no intention of obeying debian-specific guidelines for projects outside of debian, except perhaps by coincidence. I'm *not* saying that i will sign keys blindly or anything, but there are scenarios and groups i interact with where it is meaningful and/or useful to sign a role key, a machine key, or a pseudonymous key, for example. If debian makes up some debian-specific guidelines that say you must not sign pseudonymous keys, i cannot follow those instructions without changing my key (or having a debian-specific key unrelated to my non-debian identity, which seems to defeat the whole point of the binding). On the other hand, if debian says we're only going to accept certifications with certain well-defined values for the following attributes for certain purposes within the project, then i can continue to use my key, and make sure that i follow appropriate guidelines for certifications that *are* critical to debian. I will always challenge the government-issued ID due to the vastly differing standards across the globe, but travel document is actually a term that someone uttered earlier, which raises the bar a lot higher. Agreed, though it would be no fun for a DD (or potential DD) who can't convince her own government to issue her a travel document. do we want to exclude those people from debian? --dkg signature.asc Description: OpenPGP digital signature
Re: [Debconf-discuss] using OpenPGP notations to indicate keysigning practices [was: Re: GPG keysigning?]
Le Tue, Jun 23, 2009 at 08:52:20PM +0200, martin f krafft a écrit : On the other hand, just some clear guidelines that participants HAVE TO abide by, would help, e.g. a commitment to a signing policy for all keys that are to appear in a Debian keyring. Hi Martin, that would be very welcome. This whole discussion confuses me and I do not understand if Debian as a project accepts signatures that are not based on a passport or an ID card. For instance, I have used drivers licenses or social security cards as well, is that acceptable ? Have a nice day, -- Charles Plessy Tsurumi, Kanagawa, Japan -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: [Debconf-discuss] using OpenPGP notations to indicate keysigning practices
martin f krafft madd...@debconf.org writes: I will always challenge the government-issued ID due to the vastly differing standards across the globe, but travel document is actually a term that someone uttered earlier, which raises the bar a lot higher. For example, I think US drivers' licenses are only verifiable by someone who's lived in that state or otherwise seen drivers' licenses from that state. I really dislike seeing people use them at key signings and would rather see people use passports. I suspect you're going to see a ton of them in the 2010 Debconf key signing, though, since a lot of people in the US simply never bother to get a passport. -- Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/ -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: [Debconf-discuss] using OpenPGP notations to indicate keysigning practices
Charles Plessy ple...@debian.org writes: that would be very welcome. This whole discussion confuses me and I do not understand if Debian as a project accepts signatures that are not based on a passport or an ID card. For instance, I have used drivers licenses or social security cards as well, is that acceptable ? Social security cards are going to depend a lot on the government you're talking about. For example, you should never accept US social security cards as any form of identification. I believe current US social security cards even say this on them. Mine (and I haven't heard that this has changed, although it's possible) contains absolutely no anti-counterfeiting security measures and does not have a photograph. I could trivially print one out on a laser printer. Other countries issue cards for similar uses that are much more robust. -- Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/ -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: [Debconf-discuss] using OpenPGP notations to indicate keysigning practices [was: Re: GPG keysigning?]
On Wed, Jun 24, 2009 at 3:14 AM, Daniel Kahn Gillmord...@fifthhorseman.net wrote: I think that misses a critical point; i want to use my OpenPGP key for a variety of purposes both in and out of debian. I consider it a baseline tool for managing my digital identity. While i'm happy to obey debian-specific guidelines for debian-specific purposes, i have no intention of obeying debian-specific guidelines for projects outside of debian, except perhaps by coincidence. I'm *not* saying that i will sign keys blindly or anything, but there are scenarios and groups i interact with where it is meaningful and/or useful to sign a role key, a machine key, or a pseudonymous key, for example. If debian makes up some debian-specific guidelines that say you must not sign pseudonymous keys, i cannot follow those instructions without changing my key (or having a debian-specific key unrelated to my non-debian identity, which seems to defeat the whole point of the binding). Would subkeys help in this scenario? (hint hint, some good docs about real-world subkey usage are needed). -- bye, pabs http://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: [Debconf-discuss] using OpenPGP notations to indicate keysigning practices
On Tue, 23 Jun 2009, Russ Allbery wrote: For example, I think US drivers' licenses are only verifiable by someone who's lived in that state or otherwise seen drivers' licenses from that state. Nah; there's a guide published[1] which has all of them. [If you're a bar tender or a notary, you have to be able to check them.] I suspect you're going to see a ton of them in the 2010 Debconf key signing, though, since a lot of people in the US simply never bother to get a passport. It's no different than the issues with verifying passports; you have to be familiar with what a valid passport from that country for that period of time looks like, and know how to read the MRZ code (assuming the country actually has it.) I imagine that we can arrange to have a copy of that or a similar book around for people to compare. Don Armstrong 1:http://www.amazon.com/Checking-Drivers-License-Company-Publisher/dp/0938964739 -- Identical parts aren't. -- Beach's Law http://www.donarmstrong.com http://rzlab.ucr.edu -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: [Debconf-discuss] using OpenPGP notations to indicate keysigning practices
In article 20090624025557.gb9...@rzlab.ucr.edu you wrote: I imagine that we can arrange to have a copy of that or a similar book around for people to compare. And a UV lamp (at least one for money checking, but a special one for documents is even better, they have different wavelength. Eurpean ID cards typically have marks in both colors) Greetings Bernd -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org