In article <20090624003554.gf9...@kunpuu.plessy.org> you wrote: > that would be very welcome. This whole discussion confuses me and I do not > understand if Debian as a project accepts signatures that are not based on a > passport or an ID card. For instance, I have used drivers licenses or social > security cards as well, is that acceptable ?
Debian has no way (yet) to tell them apart. In the past debian just relied on some trust, just to make sure that a submitted key was not intercepted. Additional requirements (up to avoiding deniability) have been added later on (and I think never made official policy?). There are existing key signatures older than any official debian satement between developer keys so, all of them would have to be redone to be fully trusted (and annotated). Anyway, I would suggest not to get into the Business of setting up a PKI Hierachy and having a RA who can gurantee gov. idendity world wide. But if you still want to, you can find some information on ID checking and policy in the CAcert assurer handbook. CAcert is currently improving all kinds of details in this area (in order to get Audited for Inclusion in Mozilla Truststores) http://wiki.cacert.org/wiki/AssuranceHandbook2 http://wiki.cacert.org/wiki/AcceptableDocuments Note that Assurance for CAcert does not validate the email, since this is not always practicable in face to face meetings (and has all kinds of problems like company accounts which get revoked). The CAcert account can be linked to a email address (and currently they are not rechecked). CAcert can sign PGP keys for assured members. Greetings Bernd -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org