couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Randall Leeds <randall.le...@gmail.com>
Subject Re: On Key Signing (was Re: [VOTE] Apache CouchDB 1.2.0 release, fifth round)
Date Fri, 30 Mar 2012 22:41:02 GMT
On Fri, Mar 30, 2012 at 15:15, Randall Leeds <randall.leeds@gmail.com> wrote:
> On Fri, Mar 30, 2012 at 06:30, Noah Slater <nslater@tumbolia.org> wrote:
>> My key is signed by:
>> 85E0E79A 2011-10-19  Randall Leeds <randall@apache.org>
>>
> not dangerously or recklessly so. You are mostly likely correct that I
> should not have signed your key, but I hope you agree with my
> assessment of the situation and can offer some insight as to what,
> exactly, I gain by meeting you in person.

I'm wondering if I can answer my own question here. I have a feeling
it has to do with legal liability for releasing software on behalf of
the ASF. In that case, having some confidence that you not only own
your email addresses but also your face and person who is also a legal
citizen that can be held accountable for misbehaving seems prudent.
Basically, I'm rejecting the notion that PGP demands we meet in person
in order to trust each other's identities, but admitting that perhaps
the needs of the ASF demand that I not trust you to sign code unless I
verify that you are a legal person that can be held accountable for
misdeeds.

My crime, then, was against the ASF, not the web of trust at large. Perhaps?
I'll see about revoking just that signature, if it's possible.

-R

>
> When I meet people in person and exchange keys, they usually ask to
> see my key fingerprint and check that it's the one their seeing. In
> other words, they verify that the key they're signing is the one I
> claim to own and they aren't being tricked by a MITM, but they don't
> actually make any other checks about who I am. They are communicating
> some notion of trust based on the social signals of the context of our
> meeting. "We met at this place, we talked about stuff, and this person
> seemed to be the person I associate with this key, so I 'trust' them."
> What does it mean to trust? It's totally human. Have I/they been doing
> it wrong?
>
> Thanks for bringing this up, Noah. Do not doubt that I thought hard
> about my decision to sign your key. I've also just reviewed the whole
> FAQ at https://www.apache.org/dev/release-signing and will
> subsequently be transitioning my key to a stronger one. I will,
> perhaps, refrain from publishing any key signings using that beyond
> those people I've personally met.
>
> -Randall

Mime
View raw message