incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Benson Margulies <bimargul...@gmail.com>
Subject Re: key signing
Date Wed, 10 Oct 2012 11:20:05 GMT
On Wed, Oct 10, 2012 at 6:52 AM, Nick Kew <niq@apache.org> wrote:
>
> On 10 Oct 2012, at 11:25, Benson Margulies wrote:
>
>> I then feel that it's perfectly reasonable to sign a key that has two
>> things in it: the name Noah Slater and nslater@apache.org, because if
>> this process doesn't verify an adequate association, then no one can
>> trust the Apache IP process, either, and which has the same signature
>> as the one in SVN.
>
> The apache process is satisfied with his identity.  The apache process
> says so by publishing the key under his name at apache.org, thus
> establishing a certain level of trust.
>
> That most certainly doesn't mean I should sign the key: for me to do
> so based on hearsay (my own trust not in his key but in the apache
> process) just muddies the waters.


Nick: On the one hand, how is trusting the Apache process better or
worse than trusting the State of Massachusetts? Both offer an
assertion of a relationship between someone and a legal identity. In
the state of MA case, I'm matching a face to a piece of (forgeable)
plastic. In the Apache case, I'm matching an email to the Apache
process. In both cases, I could be the subject of a fraud: someone I
'know' via mailing list interactions shows up in person, shows me a
driver's license, and satisfies me that he or she is the same person I
'know' online. Enter the mole.

If the answer to this is that WoT is supposed to be based on some
level of 'real personal trust' (the opposite, after a fashion, of a
'Facebook Friend'), then I shouldn't sign keys at signing parties,
since there's just about no one at Apache whom I know well enough to
meet the standard. And I feel reinforced in my original urge to write
web pages around here that put the Apache process above the WoT.
Ironically, I could argue that we'd be better-served with X.509 certs.
An Apache CA could be programmed to issue a cert to each committer.
Users would just verify the source CA, and we'd accomplish the goal of
giving users assurance.


>
> The missing link is my ability to formalise my WoT level of trust
> (whatever it might be) in the apache process by signing a key
> labelled something like "ASF committer enrolment process" which
> in turn automatically signs everyone's keys.  Were it not for the risk
> of rather serious misunderstanding, I should advocate such a key.
>
> --
> Nick Kew
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message