Return-Path: X-Original-To: apmail-incubator-general-archive@www.apache.org Delivered-To: apmail-incubator-general-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 49C93DA7A for ; Wed, 10 Oct 2012 03:01:52 +0000 (UTC) Received: (qmail 59531 invoked by uid 500); 10 Oct 2012 03:01:51 -0000 Delivered-To: apmail-incubator-general-archive@incubator.apache.org Received: (qmail 59290 invoked by uid 500); 10 Oct 2012 03:01:51 -0000 Mailing-List: contact general-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: general@incubator.apache.org Delivered-To: mailing list general@incubator.apache.org Received: (qmail 59281 invoked by uid 99); 10 Oct 2012 03:01:51 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 10 Oct 2012 03:01:51 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of ted.dunning@gmail.com designates 74.125.82.41 as permitted sender) Received: from [74.125.82.41] (HELO mail-wg0-f41.google.com) (74.125.82.41) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 10 Oct 2012 03:01:46 +0000 Received: by mail-wg0-f41.google.com with SMTP id ds1so2957592wgb.0 for ; Tue, 09 Oct 2012 20:01:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; bh=g6gT2POIihEKsYUBSOo7G1Ga0JL3MLyqH5x6AUmi9Tc=; b=Qcv+jiVIaFXPaYROWi414XKfRM8Luwwr53EHKbI6aYomBGuNOuloUwpzeV83gubNta KHiF5VMNBriR3Xt8qlizl6zqvYC3VlpkqjJn+OiK/f0RkDwPerbiOH/xbr51tAHRi+5v cs0y/PEgI8nWCgy/jdGX2tEfh6jJBCsFz8Xpne+5sBVUOLtaMyPfxj8XAWW+4zjCyouT cr+ikC/w8fqZDKYPvlXapu2nUKOO2l3lsOJs6syhOwtXuJ6TCvRwP/dWi5Rt1ihZtiA/ cLK4s3IjVQsWFVi3NjE2DnMyoWhaU0Q4/tK55J4vt9UIa6cWrR5dDZYhXf45mX++G9MJ v++Q== Received: by 10.216.143.233 with SMTP id l83mr13172802wej.167.1349838085291; Tue, 09 Oct 2012 20:01:25 -0700 (PDT) MIME-Version: 1.0 Received: by 10.223.72.200 with HTTP; Tue, 9 Oct 2012 20:00:55 -0700 (PDT) In-Reply-To: References: <20121005131523.GE3033@lp-shahaf.local> <2E45169E9A237B4DA78078A68962F9EF06BEF55D@IMCMBX01.MITRE.ORG> <5072E4EC.8060001@apache.org> <5072F68D.6080301@apache.org> From: Ted Dunning Date: Tue, 9 Oct 2012 20:00:55 -0700 Message-ID: Subject: Re: key signing To: general@incubator.apache.org Content-Type: multipart/alternative; boundary=0016e6dab18393fe6504cbabab4c X-Virus-Checked: Checked by ClamAV on apache.org --0016e6dab18393fe6504cbabab4c Content-Type: text/plain; charset=UTF-8 If you know the person, it adds something that you don't get. On Tue, Oct 9, 2012 at 3:40 PM, Noah Slater wrote: > What, precisely, does a video call actually provide? > > The point of meeting in person is to verify photo IDs. Just talking to > somebody with a face doesn't prove anybody. I am fairly certain that YOU > have a face, and I have never even seen it. If all you're doing is having a > chit chat and swapping key IDs, you may as well do that via IRC or email. > Doing it with a video adds nothing, as far as I can see. It certainly does > not establish identity. Beyond "a person who says their name is Bob has a > face which looks like [this]." Is that useful? I don't think so. > > On Tue, Oct 9, 2012 at 11:01 PM, Marvin Humphrey >wrote: > > > On Mon, Oct 8, 2012 at 2:24 PM, Noah Slater > wrote: > > >> 1. The key owner convinces the signer that the identity in the UID is > > >> indeed their own identity by whatever evidence the signer is willing > to > > >> accept as convincing. Usually this means the key owner must present a > > >> government issued ID with a picture and information that match up with > > the > > >> key owner. (Some signers know that government issued ID's are easily > > forged > > >> and that the trustability of the issuing authorities is often suspect > > and > > >> so they may require additional and/or alternative evidence of > identity). > > > > > >> 2. The key owner verifies that the fingerprint and the length of the > key > > >> about to be signed is indeed their own. > > > > > > How would you do this via Skype? > > > > Here's a rough draft for a protocol: > > > > Several podling committers convene in a Google Plus Hangout with > "Hangouts > > On > > Air" enabled (so that the video gets archived to YouTube). > > > > Everyone states their name and what they had for lunch, then reads their > > public key fingerprint aloud. The lunch items are combined into a key > > phrase. > > Participants then commit to a text file under ASF version control, > > contributing a few lines containing their name, their public key > > fingerprint > > and the key phrase -- linking together face and voice, public key > > fingerprint, > > ASF credentials and by extension, an iCLA. > > > > Optionally, the project is then discussed by the participants for some > > arbitrary length of time; the discussion of shared experience adds > another > > layer of confidence that participants are who they say they are. > > > > Physical IDs are *not* shown during this session because the video is to > be > > archived in a public location, but participants are encouraged to request > > such > > ids via private channels later. > > > > After the session ends, the archival video link is submitted to the > > podling's > > dev list, giving people the opportunity to initiate contact via email, > > phone > > or other channels with the committers in question -- or better yet their > > associates and colleagues, pointing to the video link and requesting > > confirmation of identity. > > > > Once a potential key-signer believes that a high degree of certainty has > > been > > established for a given candidate (it may make sense to codify some "best > > practice" guidelines), they sign the key and report to the dev list, > > documenting both what key was signed and what criteria they used when > > deciding > > to sign. > > > > ... > > > > While this protocol does not rely heavily on validating government-issued > > IDs, > > the Debian guidelines quoted above point out that some people object to > > giving > > such IDs too much creedence: > > > > (Some signers know that government issued ID's are easily forged and > > that > > the trustability of the issuing authorities is often suspect and so > > they > > may require additional and/or alternative evidence of identity). > > > > Instead, it relies on a layered approach a la multi-factor > authentication. > > > > > If we don't take this seriously, how can we expect other people to take > > our > > > keys seriously? > > > > Since the Incubator PMC consistently approves releases signed by keys > which > > are not connected to the web of trust, apparently we don't take the web > of > > trust very "seriously" right now. ;) > > > > But "seriously"... > > > > I interpret "take this seriously" to mean that before signing the key, it > > is > > important to... > > > > 1. Establish the identity of the key owner to a high degree of > certainty. > > 2. Establish the link between the key and the key owner to a high degree > > of > > certainty. > > > > The point is that the degree of certainty is independent of the means > used > > to > > obtain that certainty -- and the GnuPG docs say as much. Face-to-face > > interaction is one good technique, but in my opiniion, the categorical > > dismissal of all other techniques hinders participation in the web of > > trust, > > thereby thinning our defense in depth against credential spoofing. > > > > Marvin Humphrey > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org > > For additional commands, e-mail: general-help@incubator.apache.org > > > > > > > -- > NS > --0016e6dab18393fe6504cbabab4c--