1993-11-15 - Re: True Name keys

Header Data

From: cman%IO.COM@triton.unm.edu (Douglas Barnes)
To: mdiehl@triton.unm.edu (J. Michael Diehl)
Message Hash: d1d1baa03f5706c1b6fac402551c936e4470da3a31876038993c7b841c4daa55
Message ID: <9311150925.AA12888@illuminati.IO.COM>
Reply To: <9311150706.AA03132@triton.unm.edu>
UTC Datetime: 1993-11-15 10:20:20 UTC
Raw Date: Mon, 15 Nov 93 02:20:20 PST

Raw message

From: cman%IO.COM@triton.unm.edu (Douglas Barnes)
Date: Mon, 15 Nov 93 02:20:20 PST
To: mdiehl@triton.unm.edu (J. Michael Diehl)
Subject: Re: True Name keys
In-Reply-To: <9311150706.AA03132@triton.unm.edu>
Message-ID: <9311150925.AA12888@illuminati.IO.COM>
MIME-Version: 1.0
Content-Type: text/plain


> > If you were to get enough business, you could then just farm the
> > whole thing out to a local notary/clerk type who would probably
> > have more experience with identity documents, the work of other
> > notaries, etc. 
> 
> And you would be force to trust him, also...and anyone else I may farm this out
> to.  Not this kid. ;^)

Actually, as nice a guy as I'm sure you are, having worked in banking
for many years, I'm more inclined to trust little blue-haired old
ladies for tasks requiring meticulous attention to detail, than folks
who are more like me. This is just another aspect of charging; it 
allows you to scale/extend the service beyond the point at which it
holds any charm whatsover to a creative/leading edge type individual.

I don't think you'll find much resistance if you let it be known that
you will eventually hire/contract with a professional to do the ID
validations. It will probably *improve* rather than detract from the
popularity of your service.

> 
> > Another thought: offer various levels of certification, based
> > on the level of documentation. E.g., one level for xeroxes of
> > id documents (you may just want to rule this out), another level 
> > for notarized copy of driver's licence, another for notarized
> > copy of d.l. and birth certificate, etc. etc.
> 
> I was thinking of issuing a signed certificate to the customer indicating 
> exactly why I signed his key.  This could be presented to other people who 
> question my signature.  As per my policy, which can be gotten via finger, I will
> sign a key iff any of the following is true:
> 
> 1. I watched him generate his key.
> 2. I know the person by sight, and can verify his key.
> 3. He proves, with picture id, in person, that the public key is his.
> 4. He sends me a photocopy of his picture id and a signed statement   
>      containing the pgp footprint of his key.
> 5. His key is signed by someone whom I trust to sign keys.

I wouldn't bother with most of these for a large-scale public service. 
#1 and #2 easily reduce to #3. #5 is something you don't want to get
involved with, since the whole point is to let people make their own
decision about whom to trust. Instead of signing keys signed by "good
signers", you're better off periodically posting lists of signers who
are known by each other to follow a certain set of standards, and leave
it at that.

Something like this is probably more practical:

1. Driver's license is presented in person to you or qualified staff.
2. Driver's license and two other ID from list are presented in person
   to you or qualified staff
3. Driver's license is presented in person to registered notary public
   and stamped certificate sent to you.
4. Driver's license and two other ID from list are presented in person
   to registered notary public and stamped certificate sent to you.

I would avoid accepting xeroxes altogether; too easy to forge.

-- 
----------------                                             /\ 
Douglas Barnes            cman@illuminati.io.com            /  \ 
Chief Wizard         (512) 448-8950 (d), 447-7866 (v)      / () \
Illuminati Online          metaverse.io.com 7777          /______\




Thread