Mailing-List: contact general-help@incubator.apache.org; run by ezmlm
Precedence: bulk
Reply-To: general@incubator.apache.org
Received-SPF: neutral (nike.apache.org: local policy)
Reply-To: <orcmid@apache.org>
From: "Dennis E. Hamilton" <orcmid@apache.org>
To: <general@incubator.apache.org>
References: 
 <CALhtWkesFMhkATDcpOVoSpeGZ0+W+u9wt+DiVbTp4MUDda2N3A@mail.gmail.com>
 <CALhtWkcPUsWo0scH0f4qrBzyu6Kn+rnFsfBcti_PGEH+Av69Fg@mail.gmail.com>
In-Reply-To: 
 <CALhtWkcPUsWo0scH0f4qrBzyu6Kn+rnFsfBcti_PGEH+Av69Fg@mail.gmail.com>
Subject: RE: key signing
Date: Mon, 15 Oct 2012 11:07:56 -0700
Message-ID: <004401cdab00$017de530$0479af90$@apache.org>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Content-Language: en-us
Thread-index: AQG2VGgRTYEyxooaYPD8V1D+NVOSCQHOLgZAl9q5/NA=

@Benson

There are two things that can be done, with (2) being what
matters to you, it seems to me:

 1. The committer can upload the fingerprint-associated public key
    to the PGP Global Directory at <http://keyserver.pgp.com/>.

    That will initiate an e-mail verification for every e-mail=20
    in the pubkey record (cert for short).  The procedure and its
    risks are described in the Key Verification Policy,=20
    <http://keyserver.pgp.com/vkd/VKDVerificationPGPCom.html>. =20

    The key will not be published on that server until the e-mail=20
    verification occurs.  It will there be countersigned by the PGP=20
    Global Directory Verification Key.  Note that there is a=20
    revocation procedure and revocation (i.e., removal from that=20
    directory) will happen if one of the periodic e-mail=20
    confirmations fails.

    Here's an example of how those counter-signings show up:
    =
<http://pgp.mit.edu:11371/pks/lookup?op=3Dvindex&fingerprint=3Don&search=3D=
0xD80D0C3FA39327EC>

    The e-mail verification is vulnerable (as described in the Key=20
    Verification Policy) in much the same way that Apache credentials=20
    and Account records are vulnerable with respect to the use of=20
    e-mail association as authentication.

 2. In conjunction with checking for the key at (1), or independently,=20
    the advice from the PGP folk is that an independent means of=20
    identity agreement should be employed.  So long as you have a=20
    way of doing that, and the other party can confirms that is the=20
    public key for which they possess the secret key, it seems=20
    appropriate to countersign the public key. =20

    Technically, this should not rely on the e-mail address. Use a=20
    different channel whereby the committer confirms identity,
    including having or knowing something that satisfies you.
    Since you can be confident about your own public key, have
    the party send you an encrypted message that satisfies you=20
    concerning the identity of the originator.  That message plaintext=20
    could also be signed by the party, demonstrating their possession=20
    of the private key for the pubkey in question. =20

The odd thing about the WoT is that it depends on how much *you*=20
are considered dependable in verifying the cert creator's identity.=20
Each inspector of the committer certificate determines
their own trust of the counter-signing signatures (whether by
WoT transitivity rules or their own personal knowledge/trust).=20


 -- Dennis=20

Since I dropped in on this thread, I went through the key registration=20
process for a unique key that only has orcmid@ a.o as the associated=20
e-mail.  The public key was put wherever the Gnu Privacy Assistant puts=20
them.  I uploaded the public key to the MIT PGP key server myself. =20
I also went through the PGP Global Directory verification procedure.
I put the fingerprint in my Apache Account record and a version of the
cert magically appeared at=20
<https://people.apache.org/keys/committer/orcmid.asc>.  (I'm not sure
where this is fetched from, so I'm not sure how counter-signed versions
show up.)
  I am continuing to experiment.

-----Original Message-----
From: Benson Margulies [mailto:bimargulies@gmail.com]=20
Sent: Monday, October 15, 2012 05:46
To: general@incubator.apache.org
Subject: Re: key signing

Now I have a practical problem. I've received email from a committer
on a project. I have met him in person -- some years ago. I helped him
get started at Apache. His fellow PMC members are telling him that
it's *necessary* for him to come up with one or more signatures on his
key to act at an RM.

Choices:

1) send email to him and his PMC fellows, referencing this thread, as
evidence that key signing is nice but optional.

2) go ahead and sign his key based on simple email. I'm a very bad
paranoid; I'm not interested in the idea that some person out there is
anxious to undermine Apache and has captured one or both or our gmail
accounts, or is acting as an MITM. I have plenty of writing-style
evidence that this email address disgorges communications from him.

3) Engage in some more or less baroque protocol involving skype or
carrier pigeons.

Anyone care to try to tell me what to do? My views are colored by my,
and his, complete disinterest in the WoT outside of its use at Apache,
and my conviction that I do, indeed, know that this key is under the
control of a particular person who signed a CLA and got voted in as a
committer of a particular project.

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org