couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Davis <paul.joseph.da...@gmail.com>
Subject Re: On Key Signing (was Re: [VOTE] Apache CouchDB 1.2.0 release, fifth round)
Date Sat, 31 Mar 2012 01:24:27 GMT
In related news, everyone traveling to Boston should bring their PGP key hash and a photo I'd
and then we can have a key signing jamboree.

http://xkcd.com/364/



On Mar 30, 2012, at 7:23 PM, Jason Smith <jhs@iriscouch.com> wrote:

> You are not confirming that somebody is who he says he is. You are
> simply confirming that he bears the key that he says he has. The
> latter is a much simpler problem.
> 
> On Sat, Mar 31, 2012 at 5:15 AM, Randall Leeds <randall.leeds@gmail.com> wrote:
>> On Fri, Mar 30, 2012 at 06:30, Noah Slater <nslater@tumbolia.org> wrote:
>>> My key is signed by:
>>> 85E0E79A 2011-10-19  Randall Leeds <randall@apache.org>
>>> 
>>> I am actually a little confused why Randall has signed my key. He has never
>>> met me, nor has he ever confirmed my identity, nor has he any assurances
>>> that the key he signed is mine. Randal, maybe you should come to Dublin,
>>> and you can make up for this faux pas? Dave, you need to do the same, if
>>> you want to link our trust circles.
>> 
>> I would love to come to Dublin. I'd totally like to make it happen
>> this year. For now, I'd love to talk about this in case its a good
>> teaching moment. I'm relatively new to this and may be going about
>> things in the wrong way.
>> 
>> I have never met you. I may disagree that I have never confirmed your
>> identity. Maybe I'm not sure what that actually means. Does it mean
>> that you are called Noah Slater by some government authority? Do I
>> care? I care that our release manager is the one signing our releases
>> and the one calling our votes and that he owns the identity referenced
>> by this key. I have several pieces of infrastructure and communication
>> security (@apache.org email, repository access, IRC cloak, the web of
>> trust with those I have met personally) that tell me this is probably
>> the case as well as lots of online activity correlation that provides
>> strong evidence that this is so.
>> 
>> Therefore, I feel fairly confident stating that the actions of some
>> person who is executing releases and signing code using this key are
>> attributable to some Noah Slater who communicates using the associated
>> email addresses and is an Apache CouchDB PMC member and release
>> manager.
>> 
>> But I think the rub is that trust and validity are different things. I
>> do know, with 100% confidence, that the key I signed has been signing
>> code releases. Whether it belongs to some particular Noah Slater who
>> is *trusted* is a human call. More importantly, it's one that I did
>> not, and perhaps should not, publicise without meeting you in person,
>> though the reasons for this aren't totally clear. I locally trust you,
>> but perhaps not enough to publish that trust without meeting you in
>> person. To me, the faux pas is failing to recognise that a web of
>> trust means that ***I do not need need to sign your key to lend weight
>> to its trustworthiness*** because I have done so transitively by
>> signing other, nearby keys. Some subtlety here, I think, escaped me
>> for a time.
>> 
>> I believe a (much more) serious faux pas would be if I had signed your
>> key and it had contained a picture. Since I have not met you I cannot
>> assert that you "look like <some picture>", but the assertions I have
>> made seem relatively sound. Someone wanting to know whether a tarball
>> they received was actually created by our release manager can trust me
>> with that assertion (if they trust me at all). Please point out where
>> I'm wrong, though. I think I've been publicly overly assertive, but
>> not dangerously or recklessly so. You are mostly likely correct that I
>> should not have signed your key, but I hope you agree with my
>> assessment of the situation and can offer some insight as to what,
>> exactly, I gain by meeting you in person.
>> 
>> When I meet people in person and exchange keys, they usually ask to
>> see my key fingerprint and check that it's the one their seeing. In
>> other words, they verify that the key they're signing is the one I
>> claim to own and they aren't being tricked by a MITM, but they don't
>> actually make any other checks about who I am. They are communicating
>> some notion of trust based on the social signals of the context of our
>> meeting. "We met at this place, we talked about stuff, and this person
>> seemed to be the person I associate with this key, so I 'trust' them."
>> What does it mean to trust? It's totally human. Have I/they been doing
>> it wrong?
>> 
>> Thanks for bringing this up, Noah. Do not doubt that I thought hard
>> about my decision to sign your key. I've also just reviewed the whole
>> FAQ at https://www.apache.org/dev/release-signing and will
>> subsequently be transitioning my key to a stronger one. I will,
>> perhaps, refrain from publishing any key signings using that beyond
>> those people I've personally met.
>> 
>> -Randall
> 
> 
> 
> -- 
> Iris Couch

Mime
View raw message