response 142 of 184:

Sep 10 11:34 UTC 2002

Re #139:  You can "take" names and addresses, but how do you know that
they belong to the person requesting access?   I could give you a thousand
names and addresses out of the phone book; it wouldn't mean anything.

If the person making the request obviously had possession of some official
document such as a driver's license (because they were able to copy it),
we've handled that issue.  

response 144 of 184:

Sep 10 12:29 UTC 2002

So is anybody going to enter a proposal, or we going to just argue the same
things over and over?

response 148 of 184:

Sep 10 18:13 UTC 2002

I agree

response 150 of 184:

Sep 10 18:49 UTC 2002

Something like that. It sounds weird, but if grex is not going to be actually
verifying that id, I really don't see the point in collecting and storing that
id. 

response 152 of 184:

Sep 10 19:00 UTC 2002

I think he meant no telnet for people who don't pay. Its not a good idea
giving *every* newuser telnet. Get it?

response 154 of 184:

Sep 10 19:43 UTC 2002

   The reason for asking for ID and not verifying it is a balance between
trying to do something to protect ourselves, but not get some encumbered
in the process that we spend all our time trying to authenticate people
do not do anything else.  We also ask for id as a form of vandal protection;
once they hear of the request for ID, the vast majority shy away.

   I don't think Grex is overbearing in its requests on this, and I don't
think we need to change much.  I haven't read the entire set of responses
however, so I'll do that now.

response 156 of 184:

Sep 10 20:28 UTC 2002

All we do is tell the police what we know, which is that the person who
paid for a particular membership sent us a particular ID.

There is no way to tell who uses a paricular account.  Even if we carried
out some elaborate check to see that the ID we received actually came from
the person it describes, they can still allow someone else to use their
account, or be careless with their password, or what have you.

So there is no absolute security.  There are only compromises.  Grex has
made one, with its policy; it's not the only one possible, but it has served
us pretty well so far, I think.

response 158 of 184:

Sep 11 03:45 UTC 2002

Re #143:  Sapna, we don't *know* that the person making the application
is the person named on the license.  However, we do know that the
applicant *had possession of* the license.  Unless the licensee's wallet
was stolen (and maybe even if it was), the licensee could probably give
investigators a good idea of who made the application.  Other forensic
data (such as IP addresses) can exonerate an innocent licensee and finger
the actual guilty party.

If Grex can point investigators down the line, we've carried out our
obligation (and done a pretty good job of deterring vandals).

response 162 of 184:

Sep 11 05:26 UTC 2002

I don't think that's such a bad question.  (#160, that is.)  As has been
nearly beaten to death in this and previous items, we collect and retain ID
for two reasons.  First, to make a reasonable effort to ensure that one person
can't get two voting memberships, and second, to be able to produce some
information about the people we give certain kinds of access to.  I think
these are reasonable, worthwhile goals.  If they can be accomplished without
collecting ID, then it would be worth trying to do so.  However, I'm
skeptical.  I imagine it may be possible, even likely, that system logs
contain enough information to nullify the second reason, but I don't see how
they can satisfy the demands of the first goal.  So I think we shouldn't
change ID policy unless and until we can come up with a way to make reasonably
sure that people can't get more than one voting membership.  Or,
alternatively, decide that we don't care about that.  

response 164 of 184:

Sep 11 16:05 UTC 2002

resp:159 - Okay, I'll bite.  If you didn't care, why were you making 
such a big fuss about this?