[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ga] Proof of Identification




On 6 December 1999, John C Klensin <klensin@mci.net> wrote:


>For whatever it is worth, as someone who has been using PGP for
>many years and worrying about key integrity and validity and
>webs of trust for most of that time...
>

[...snip excellent points about trust...]

The problem as I see it boils down to this:  How do we assign
an unique identifier to a person?

Right now, we're discussing various methods of taking an unique
identifier, and saying, "Ok, this belongs to this person, and 
this person will only use this identifier if she is to be listened to."

The various methods under discussion include a physical meeting
between the individual and someone at least one other person already
"trusts", and the presentation of identification, followed by
this trusted party validating the individual's unique identifier.

I won't pretend to know the full extent of the debate surrounding
this issue in other fora, and won't presume to attempt to summarize
it here.  But I would like to point out that this presents what in 
some cases may be a significant barrier to participation, moreso than
a fee would.  Some would argue that this is in fact the point, but
bear with me for a minute.

Using myself as an example, I'm just plain lucky that I live near
several of the other regular participants here, although we've never
met in person.  I'm also lucky that my work has allowed me to make
acquaintances that I share with other participants here.  Again, 
a lot of this is happenstance.  I tend to hole up either at work or
at home;  I have a small circle of friends, and none of them
participate here.  Were I to live in a more remote area of the
world, I would never have been able to afford to travel to meet
anyone at an ICANN meeting.  The chance that allows me to point
to people who can vouch for my identity would no longer exist.
In this situation, how would I ever be allowed to participate?
I certainly couldn't afford to meet someone, and I wouldn't trust
anyone who'd be willing to vouch for my identity on the basis
of a faxed or scanned document, when such things are so easily and
undetectably altered.

I'm not saying that we should ignore this problem;  I believe we need
some way to identify people, to tie them to one and only one
mailing address, and have a forum in which only those thus
identified may participate.  I'm just concerned that the
web of trust, as long as it relies on such methods, will be
exclusive to too many people, particularly those who may not yet
have joined.

Perhaps if we were to require a nominal, even nonsensical fee,
which must be submitted by personal check (or local equivalent).
I write out a check for US$1.00, sign it, write my e-mail address
on it, and mail it off.  This would allow us to use another agency's
normal function as an identity validation, and while it wouldn't
eliminate multiple-personality types, it would make their
participation significantly more difficult.

Just a thought.

-- 
Mark C. Langston
mark@bitshift.org
Systems Admin
San Jose, CA