[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [atlarge-discuss] online voting



On Thu, May 16, 2002 at 03:01:38PM +0200, Vittorio Bertola wrote:
> On 16 May 2002 12:02:15 +0200, you wrote:

> >> In your process, how do you distribute the PGP keys? Once voters have
> >> a key, you can be sure that the vote is theirs, but how do you
> >> identify a new person who has to be given a key, and how do you verify
> >> his/her identity?

> >a requirement for a new debian developer is to have his gpg key signed
> >by a full developer. we have quite a big web of trust in debian.

> So, to apply this system to ICANN, we would have to build the At Large
> membership by cooptation, ie each new member would have to be
> introduced by another one. This could be somewhat interesting, but I
> guess it could be not open enough for our scale and purposes.

Debian has chosen this particular method because it's consistent with
our goals as a community: a PGP web of trust maps closely onto the
relationships that have to exist among us as developers of an operating
system.  For ICANN, I'm pretty sure that this does not apply; so
requiring all PGP keys to be signed by someone already in ICANN is
probably not the way to go about it.  You can choose a different method
that provides the right balance of security and convenience for your
organization.  You might accept PGP keys with only email verification,
you might accept them printed out and sent by normal mail, you might
accept keys that have been signed into the global web of trust.  Each
approach offers a different degree of authenticity, and carries with it
a different degree of overhead.

Steve Langasek
postmodern programmer

PGP signature