couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Randall Leeds <randall.le...@gmail.com>
Subject On Key Signing (was Re: [VOTE] Apache CouchDB 1.2.0 release, fifth round)
Date Fri, 30 Mar 2012 22:15:18 GMT
On Fri, Mar 30, 2012 at 06:30, Noah Slater <nslater@tumbolia.org> wrote:
> My key is signed by:
> 85E0E79A 2011-10-19  Randall Leeds <randall@apache.org>
>
> I am actually a little confused why Randall has signed my key. He has never
> met me, nor has he ever confirmed my identity, nor has he any assurances
> that the key he signed is mine. Randal, maybe you should come to Dublin,
> and you can make up for this faux pas? Dave, you need to do the same, if
> you want to link our trust circles.

I would love to come to Dublin. I'd totally like to make it happen
this year. For now, I'd love to talk about this in case its a good
teaching moment. I'm relatively new to this and may be going about
things in the wrong way.

I have never met you. I may disagree that I have never confirmed your
identity. Maybe I'm not sure what that actually means. Does it mean
that you are called Noah Slater by some government authority? Do I
care? I care that our release manager is the one signing our releases
and the one calling our votes and that he owns the identity referenced
by this key. I have several pieces of infrastructure and communication
security (@apache.org email, repository access, IRC cloak, the web of
trust with those I have met personally) that tell me this is probably
the case as well as lots of online activity correlation that provides
strong evidence that this is so.

Therefore, I feel fairly confident stating that the actions of some
person who is executing releases and signing code using this key are
attributable to some Noah Slater who communicates using the associated
email addresses and is an Apache CouchDB PMC member and release
manager.

But I think the rub is that trust and validity are different things. I
do know, with 100% confidence, that the key I signed has been signing
code releases. Whether it belongs to some particular Noah Slater who
is *trusted* is a human call. More importantly, it's one that I did
not, and perhaps should not, publicise without meeting you in person,
though the reasons for this aren't totally clear. I locally trust you,
but perhaps not enough to publish that trust without meeting you in
person. To me, the faux pas is failing to recognise that a web of
trust means that ***I do not need need to sign your key to lend weight
to its trustworthiness*** because I have done so transitively by
signing other, nearby keys. Some subtlety here, I think, escaped me
for a time.

I believe a (much more) serious faux pas would be if I had signed your
key and it had contained a picture. Since I have not met you I cannot
assert that you "look like <some picture>", but the assertions I have
made seem relatively sound. Someone wanting to know whether a tarball
they received was actually created by our release manager can trust me
with that assertion (if they trust me at all). Please point out where
I'm wrong, though. I think I've been publicly overly assertive, but
not dangerously or recklessly so. You are mostly likely correct that I
should not have signed your key, but I hope you agree with my
assessment of the situation and can offer some insight as to what,
exactly, I gain by meeting you in person.

When I meet people in person and exchange keys, they usually ask to
see my key fingerprint and check that it's the one their seeing. In
other words, they verify that the key they're signing is the one I
claim to own and they aren't being tricked by a MITM, but they don't
actually make any other checks about who I am. They are communicating
some notion of trust based on the social signals of the context of our
meeting. "We met at this place, we talked about stuff, and this person
seemed to be the person I associate with this key, so I 'trust' them."
What does it mean to trust? It's totally human. Have I/they been doing
it wrong?

Thanks for bringing this up, Noah. Do not doubt that I thought hard
about my decision to sign your key. I've also just reviewed the whole
FAQ at https://www.apache.org/dev/release-signing and will
subsequently be transitioning my key to a stronger one. I will,
perhaps, refrain from publishing any key signings using that beyond
those people I've personally met.

-Randall

Mime
View raw message