incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Kew <...@apache.org>
Subject Re: key signing
Date Wed, 10 Oct 2012 10:52:40 GMT

On 10 Oct 2012, at 11:25, Benson Margulies wrote:

> I then feel that it's perfectly reasonable to sign a key that has two
> things in it: the name Noah Slater and nslater@apache.org, because if
> this process doesn't verify an adequate association, then no one can
> trust the Apache IP process, either, and which has the same signature
> as the one in SVN.

The apache process is satisfied with his identity.  The apache process
says so by publishing the key under his name at apache.org, thus
establishing a certain level of trust.

That most certainly doesn't mean I should sign the key: for me to do
so based on hearsay (my own trust not in his key but in the apache
process) just muddies the waters.

The missing link is my ability to formalise my WoT level of trust
(whatever it might be) in the apache process by signing a key
labelled something like "ASF committer enrolment process" which
in turn automatically signs everyone's keys.  Were it not for the risk 
of rather serious misunderstanding, I should advocate such a key.

-- 
Nick Kew

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message