couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Noah Slater <>
Subject Re: On Key Signing (was Re: [VOTE] Apache CouchDB 1.2.0 release, fifth round)
Date Tue, 03 Apr 2012 21:19:18 GMT

You are free to use whatever system you want to use in determining what
keys to sign. All I am doing is pointing out what is common, and what is
commonly frowned upon. A standard baseline is that you have a) met the
person, 2) seen a photo ID, and d) verified cryptographically that
they control the private key. The last step is usually done through
exchanging signatures after the key party.

On Sat, Mar 31, 2012 at 6:23 AM, Randall Leeds <>wrote:

> On Fri, Mar 30, 2012 at 17:23, Jason Smith <> wrote:
> > You are not confirming that somebody is who he says he is. You are
> > simply confirming that he bears the key that he says he has. The
> > latter is a much simpler problem.
> That's precisely my point. I have a giant stack of evidence that says
> Noah bears this key.
> Also related to my anecdote about signing parties I've experienced,
> wherein nobody asks me to prove that I own the private key, I'll note
> it's sort of unnecessary. Signing *their* keys and publishing that
> demonstrates that I own the private keys corresponding to my identity
> of my signature. But for that first signature with an unconnected
> other, it seems like the "right" thing has nothing to do with driver's
> licenses or photo ID, but everything to do with exchanging a signed
> message over a secure channel, which is slightly more than "hey, the
> fingerprints on our screens match", which just says that you're
> talking about the same key (whose owner may or may not be present).

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message