couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jason Smith <...@iriscouch.com>
Subject Re: On Key Signing (was Re: [VOTE] Apache CouchDB 1.2.0 release, fifth round)
Date Sat, 31 Mar 2012 00:23:39 GMT
You are not confirming that somebody is who he says he is. You are
simply confirming that he bears the key that he says he has. The
latter is a much simpler problem.

On Sat, Mar 31, 2012 at 5:15 AM, Randall Leeds <randall.leeds@gmail.com> wrote:
> On Fri, Mar 30, 2012 at 06:30, Noah Slater <nslater@tumbolia.org> wrote:
>> My key is signed by:
>> 85E0E79A 2011-10-19  Randall Leeds <randall@apache.org>
>>
>> I am actually a little confused why Randall has signed my key. He has never
>> met me, nor has he ever confirmed my identity, nor has he any assurances
>> that the key he signed is mine. Randal, maybe you should come to Dublin,
>> and you can make up for this faux pas? Dave, you need to do the same, if
>> you want to link our trust circles.
>
> I would love to come to Dublin. I'd totally like to make it happen
> this year. For now, I'd love to talk about this in case its a good
> teaching moment. I'm relatively new to this and may be going about
> things in the wrong way.
>
> I have never met you. I may disagree that I have never confirmed your
> identity. Maybe I'm not sure what that actually means. Does it mean
> that you are called Noah Slater by some government authority? Do I
> care? I care that our release manager is the one signing our releases
> and the one calling our votes and that he owns the identity referenced
> by this key. I have several pieces of infrastructure and communication
> security (@apache.org email, repository access, IRC cloak, the web of
> trust with those I have met personally) that tell me this is probably
> the case as well as lots of online activity correlation that provides
> strong evidence that this is so.
>
> Therefore, I feel fairly confident stating that the actions of some
> person who is executing releases and signing code using this key are
> attributable to some Noah Slater who communicates using the associated
> email addresses and is an Apache CouchDB PMC member and release
> manager.
>
> But I think the rub is that trust and validity are different things. I
> do know, with 100% confidence, that the key I signed has been signing
> code releases. Whether it belongs to some particular Noah Slater who
> is *trusted* is a human call. More importantly, it's one that I did
> not, and perhaps should not, publicise without meeting you in person,
> though the reasons for this aren't totally clear. I locally trust you,
> but perhaps not enough to publish that trust without meeting you in
> person. To me, the faux pas is failing to recognise that a web of
> trust means that ***I do not need need to sign your key to lend weight
> to its trustworthiness*** because I have done so transitively by
> signing other, nearby keys. Some subtlety here, I think, escaped me
> for a time.
>
> I believe a (much more) serious faux pas would be if I had signed your
> key and it had contained a picture. Since I have not met you I cannot
> assert that you "look like <some picture>", but the assertions I have
> made seem relatively sound. Someone wanting to know whether a tarball
> they received was actually created by our release manager can trust me
> with that assertion (if they trust me at all). Please point out where
> I'm wrong, though. I think I've been publicly overly assertive, but
> not dangerously or recklessly so. You are mostly likely correct that I
> should not have signed your key, but I hope you agree with my
> assessment of the situation and can offer some insight as to what,
> exactly, I gain by meeting you in person.
>
> When I meet people in person and exchange keys, they usually ask to
> see my key fingerprint and check that it's the one their seeing. In
> other words, they verify that the key they're signing is the one I
> claim to own and they aren't being tricked by a MITM, but they don't
> actually make any other checks about who I am. They are communicating
> some notion of trust based on the social signals of the context of our
> meeting. "We met at this place, we talked about stuff, and this person
> seemed to be the person I associate with this key, so I 'trust' them."
> What does it mean to trust? It's totally human. Have I/they been doing
> it wrong?
>
> Thanks for bringing this up, Noah. Do not doubt that I thought hard
> about my decision to sign your key. I've also just reviewed the whole
> FAQ at https://www.apache.org/dev/release-signing and will
> subsequently be transitioning my key to a stronger one. I will,
> perhaps, refrain from publishing any key signings using that beyond
> those people I've personally met.
>
> -Randall



-- 
Iris Couch

Mime
View raw message