On Thu, May 16, 2002 at 03:01:38PM +0200, Vittorio Bertola wrote: > On 16 May 2002 12:02:15 +0200, you wrote:
> >> In your process, how do you distribute the PGP keys? Once voters have > >> a key, you can be sure that the vote is theirs, but how do you > >> identify a new person who has to be given a key, and how do you verify > >> his/her identity? > >a requirement for a new debian developer is to have his gpg key signed > >by a full developer. we have quite a big web of trust in debian. > So, to apply this system to ICANN, we would have to build the At Large > membership by cooptation, ie each new member would have to be > introduced by another one. This could be somewhat interesting, but I > guess it could be not open enough for our scale and purposes. Debian has chosen this particular method because it's consistent with our goals as a community: a PGP web of trust maps closely onto the relationships that have to exist among us as developers of an operating system. For ICANN, I'm pretty sure that this does not apply; so requiring all PGP keys to be signed by someone already in ICANN is probably not the way to go about it. You can choose a different method that provides the right balance of security and convenience for your organization. You might accept PGP keys with only email verification, you might accept them printed out and sent by normal mail, you might accept keys that have been signed into the global web of trust. Each approach offers a different degree of authenticity, and carries with it a different degree of overhead. Steve Langasek postmodern programmer
msg01723/pgp00000.pgp
Description: PGP signature