incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marvin Humphrey <mar...@rectangular.com>
Subject Re: key signing
Date Wed, 10 Oct 2012 15:37:49 GMT
On Wed, Oct 10, 2012 at 7:19 AM, Nick Kew <nick@webthing.com> wrote:
>
> On 10 Oct 2012, at 12:20, Benson Margulies wrote:
>
>> Nick: On the one hand, how is trusting the Apache process better or
>> worse than trusting the State of Massachusetts?
>
> When I sign a key I'm basing it on more information than that.

Exactly -- certainty increases linearly the as the strength of any one factor
improves, but increases exponentially with the addition of multiple factors.

Weak:

      amateur inspection of photo ID

Stronger, but depends on trust in third parties:

      amateur inspection of photo ID
    + third party testimonials

Stronger still:

      amateur inspection of photo ID
    + third party testimonials
    + permanent archived video (to discourage impersonation)
    + verification of Apache credentials

> Either it's a one-off, when I have additional knowledge of someone:
> e.g. a personal or working relationship.  Or it's a keysigning party,
> when I'm one of many.  In the latter case, if I'm signing keys at
> ApacheCon and someone I've never met identifies himself as
> Benson Margulies, I have not only the passport but a room full
> of Apache folks - some of whom surely know Benson Margulies
> well - to reassure me.

Protocols for key signing parties can be quite elaborate to ensure that each
participant provides multiple factors:

    http://cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html

Marvin Humphrey

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message