Mailing-List: contact dev-help@couchdb.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@couchdb.apache.org
Received-SPF: pass (athena.apache.org: domain of paul.joseph.davis@gmail.com
 designates 209.85.210.180 as permitted sender)
References: 
 <CAAL6JQhRFA5b6a+OgwRwvGwaxuvt1iUEZCo6w2deE_6gt4D8oQ@mail.gmail.com>
 <CAN-3CB+g0QSbho5J2a1eRLau2J=P=1RWt6mxDnDTP9NfTi9OUQ@mail.gmail.com>
In-Reply-To: 
 <CAN-3CB+g0QSbho5J2a1eRLau2J=P=1RWt6mxDnDTP9NfTi9OUQ@mail.gmail.com>
Mime-Version: 1.0 (1.0)
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii
Message-Id: <35553332-7ACB-4D81-BF16-98CB43DAF9A8@gmail.com>
Cc: "dev@couchdb.apache.org" <dev@couchdb.apache.org>
From: Paul Davis <paul.joseph.davis@gmail.com>
Subject: Re: On Key Signing (was Re: [VOTE] Apache CouchDB 1.2.0 release,
 fifth round)
Date: Fri, 30 Mar 2012 20:24:27 -0500
To: "dev@couchdb.apache.org" <dev@couchdb.apache.org>

In related news, everyone traveling to Boston should bring their PGP key has=
h and a photo I'd and then we can have a key signing jamboree.

http://xkcd.com/364/


On Mar 30, 2012, at 7:23 PM, Jason Smith <jhs@iriscouch.com> wrote:

> You are not confirming that somebody is who he says he is. You are
> simply confirming that he bears the key that he says he has. The
> latter is a much simpler problem.
>=20
> On Sat, Mar 31, 2012 at 5:15 AM, Randall Leeds <randall.leeds@gmail.com> w=
rote:
>> On Fri, Mar 30, 2012 at 06:30, Noah Slater <nslater@tumbolia.org> wrote:
>>> My key is signed by:
>>> 85E0E79A 2011-10-19  Randall Leeds <randall@apache.org>
>>>=20
>>> I am actually a little confused why Randall has signed my key. He has ne=
ver
>>> met me, nor has he ever confirmed my identity, nor has he any assurances=

>>> that the key he signed is mine. Randal, maybe you should come to Dublin,=

>>> and you can make up for this faux pas? Dave, you need to do the same, if=

>>> you want to link our trust circles.
>>=20
>> I would love to come to Dublin. I'd totally like to make it happen
>> this year. For now, I'd love to talk about this in case its a good
>> teaching moment. I'm relatively new to this and may be going about
>> things in the wrong way.
>>=20
>> I have never met you. I may disagree that I have never confirmed your
>> identity. Maybe I'm not sure what that actually means. Does it mean
>> that you are called Noah Slater by some government authority? Do I
>> care? I care that our release manager is the one signing our releases
>> and the one calling our votes and that he owns the identity referenced
>> by this key. I have several pieces of infrastructure and communication
>> security (@apache.org email, repository access, IRC cloak, the web of
>> trust with those I have met personally) that tell me this is probably
>> the case as well as lots of online activity correlation that provides
>> strong evidence that this is so.
>>=20
>> Therefore, I feel fairly confident stating that the actions of some
>> person who is executing releases and signing code using this key are
>> attributable to some Noah Slater who communicates using the associated
>> email addresses and is an Apache CouchDB PMC member and release
>> manager.
>>=20
>> But I think the rub is that trust and validity are different things. I
>> do know, with 100% confidence, that the key I signed has been signing
>> code releases. Whether it belongs to some particular Noah Slater who
>> is *trusted* is a human call. More importantly, it's one that I did
>> not, and perhaps should not, publicise without meeting you in person,
>> though the reasons for this aren't totally clear. I locally trust you,
>> but perhaps not enough to publish that trust without meeting you in
>> person. To me, the faux pas is failing to recognise that a web of
>> trust means that ***I do not need need to sign your key to lend weight
>> to its trustworthiness*** because I have done so transitively by
>> signing other, nearby keys. Some subtlety here, I think, escaped me
>> for a time.
>>=20
>> I believe a (much more) serious faux pas would be if I had signed your
>> key and it had contained a picture. Since I have not met you I cannot
>> assert that you "look like <some picture>", but the assertions I have
>> made seem relatively sound. Someone wanting to know whether a tarball
>> they received was actually created by our release manager can trust me
>> with that assertion (if they trust me at all). Please point out where
>> I'm wrong, though. I think I've been publicly overly assertive, but
>> not dangerously or recklessly so. You are mostly likely correct that I
>> should not have signed your key, but I hope you agree with my
>> assessment of the situation and can offer some insight as to what,
>> exactly, I gain by meeting you in person.
>>=20
>> When I meet people in person and exchange keys, they usually ask to
>> see my key fingerprint and check that it's the one their seeing. In
>> other words, they verify that the key they're signing is the one I
>> claim to own and they aren't being tricked by a MITM, but they don't
>> actually make any other checks about who I am. They are communicating
>> some notion of trust based on the social signals of the context of our
>> meeting. "We met at this place, we talked about stuff, and this person
>> seemed to be the person I associate with this key, so I 'trust' them."
>> What does it mean to trust? It's totally human. Have I/they been doing
>> it wrong?
>>=20
>> Thanks for bringing this up, Noah. Do not doubt that I thought hard
>> about my decision to sign your key. I've also just reviewed the whole
>> FAQ at https://www.apache.org/dev/release-signing and will
>> subsequently be transitioning my key to a stronger one. I will,
>> perhaps, refrain from publishing any key signings using that beyond
>> those people I've personally met.
>>=20
>> -Randall
>=20
>=20
>=20
> --=20
> Iris Couch