Return-Path: 
 <dev-return-21860-apmail-couchdb-dev-archive=couchdb.apache.org@couchdb.apache.org>
X-Original-To: apmail-couchdb-dev-archive@www.apache.org
Delivered-To: apmail-couchdb-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 19A7C9004
	for <apmail-couchdb-dev-archive@www.apache.org>;
 Tue,  3 Apr 2012 21:19:46 +0000 (UTC)
Received: (qmail 77444 invoked by uid 500); 3 Apr 2012 21:19:45 -0000
Delivered-To: apmail-couchdb-dev-archive@couchdb.apache.org
Received: (qmail 77405 invoked by uid 500); 3 Apr 2012 21:19:45 -0000
Mailing-List: contact dev-help@couchdb.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@couchdb.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@couchdb.apache.org>
List-Post: <mailto:dev@couchdb.apache.org>
List-Id: <dev.couchdb.apache.org>
Reply-To: dev@couchdb.apache.org
Delivered-To: mailing list dev@couchdb.apache.org
Received: (qmail 77396 invoked by uid 99); 3 Apr 2012 21:19:45 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 03 Apr 2012 21:19:45 +0000
X-ASF-Spam-Status: No, hits=1.5 required=5.0
	tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of nslater@tumbolia.org
 designates 209.85.215.52 as permitted sender)
Received: from [209.85.215.52] (HELO mail-lpp01m010-f52.google.com)
 (209.85.215.52)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 03 Apr 2012 21:19:40 +0000
Received: by lahi5 with SMTP id i5so255282lah.11
        for <dev@couchdb.apache.org>; Tue, 03 Apr 2012 14:19:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=tumbolia.org; s=google;
        h=mime-version:x-originating-ip:in-reply-to:references:date
         :message-id:subject:from:to:content-type;
        bh=FBznvovmgc4+cCnNpkYvPiyO+SDBjFHolg+gGYQGozI=;
        b=ewU5f7ysgn4EMbM6zHJuSvxtTovs0hckc7zh1/QAAPahcziOjdyZRT3t9KtjgSti21
         ruo47Tqnj+erxnT5sOqSoc9+iEmQOFqCrr57zbWBJxHFJQzImEAnn6JXNo7xCqTioSUA
         4cRt1b5o42TI2pjvPHQXexo6ZsjxxvEZPDfLs=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20120113;
        h=mime-version:x-originating-ip:in-reply-to:references:date
         :message-id:subject:from:to:content-type:x-gm-message-state;
        bh=FBznvovmgc4+cCnNpkYvPiyO+SDBjFHolg+gGYQGozI=;
        b=ZsgFmGuN3hgrjJ4penE9gro35u9tcPHBDa5bvpaXR/cqfIFdd3qNowwt5zN7HdSgQN
         4AECV0KB4JxO5jPFpBwbvTcv2wSykcvuAJG8AkP1RM8s7dNZqlADTBvV6ZTDRHU3Qs9a
         Xvrq89qIF/iKWU/AXWqPy7rayUU4wfIRMYEAhSkpHvx2Yyn9Fp9u2qgsybmpw9E3erOe
         k53Ju58QIiNoduXAXfXYzoamZJvsA19UEJPHoy/meqld7m2jYnAV8L9dvakE6h2oEmDm
         1BTR2udUqQibDze7dbvdzRCTYw3P5jh7Oz3wbQPYcePNrfBdorbLLhJVwLDLUGywmnG0
         AxVQ==
MIME-Version: 1.0
Received: by 10.152.148.234 with SMTP id tv10mr15795178lab.41.1333487958472;
 Tue, 03 Apr 2012 14:19:18 -0700 (PDT)
Received: by 10.112.9.36 with HTTP; Tue, 3 Apr 2012 14:19:18 -0700 (PDT)
X-Originating-IP: [178.250.115.206]
In-Reply-To: 
 <CAAL6JQi7cO0xsRoOvYfhUJ9ty763n3JytVSy494O9oD+DdWtPA@mail.gmail.com>
References: 
 <CAAL6JQhRFA5b6a+OgwRwvGwaxuvt1iUEZCo6w2deE_6gt4D8oQ@mail.gmail.com>
	<CAN-3CB+g0QSbho5J2a1eRLau2J=P=1RWt6mxDnDTP9NfTi9OUQ@mail.gmail.com>
	<CAAL6JQi7cO0xsRoOvYfhUJ9ty763n3JytVSy494O9oD+DdWtPA@mail.gmail.com>
Date: Tue, 3 Apr 2012 22:19:18 +0100
Message-ID: 
 <CA+Y+445jmDcM_Zq6JixSde2mAzsx13nXvcpFsne6fr9oNd_LuQ@mail.gmail.com>
Subject: Re: On Key Signing (was Re: [VOTE] Apache CouchDB 1.2.0 release,
 fifth round)
From: Noah Slater <nslater@tumbolia.org>
To: dev@couchdb.apache.org
Content-Type: multipart/alternative; boundary=e89a8f23450913b78004bcccdcd6
X-Gm-Message-State: 
 ALoCoQlpGF3gZPfA1Umsq4sKhSGrX1YIiasAmhuS2U6ZInZAwPAYV9K8386nMqFF4Od2FqB5SC9q
X-Virus-Checked: Checked by ClamAV on apache.org

--e89a8f23450913b78004bcccdcd6
Content-Type: text/plain; charset=ISO-8859-1

Randall,

You are free to use whatever system you want to use in determining what
keys to sign. All I am doing is pointing out what is common, and what is
commonly frowned upon. A standard baseline is that you have a) met the
person, 2) seen a photo ID, and d) verified cryptographically that
they control the private key. The last step is usually done through
exchanging signatures after the key party.

On Sat, Mar 31, 2012 at 6:23 AM, Randall Leeds <randall.leeds@gmail.com>wrote:

> On Fri, Mar 30, 2012 at 17:23, Jason Smith <jhs@iriscouch.com> wrote:
> > You are not confirming that somebody is who he says he is. You are
> > simply confirming that he bears the key that he says he has. The
> > latter is a much simpler problem.
>
> That's precisely my point. I have a giant stack of evidence that says
> Noah bears this key.
>
> Also related to my anecdote about signing parties I've experienced,
> wherein nobody asks me to prove that I own the private key, I'll note
> it's sort of unnecessary. Signing *their* keys and publishing that
> demonstrates that I own the private keys corresponding to my identity
> of my signature. But for that first signature with an unconnected
> other, it seems like the "right" thing has nothing to do with driver's
> licenses or photo ID, but everything to do with exchanging a signed
> message over a secure channel, which is slightly more than "hey, the
> fingerprints on our screens match", which just says that you're
> talking about the same key (whose owner may or may not be present).
>

--e89a8f23450913b78004bcccdcd6--