incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Florian Holeczek <>
Subject Re: key signing
Date Wed, 10 Oct 2012 15:11:49 GMT
Hi Benson,

> A different angle.
> Noah asks me to sign his key.
> Noah tells me that he's committed it to KEYS for CloudStack in svn
> revision 314159.
> I examine that revision and see that it was made by, indeed, noah's
> Apache ID, which is associated with a particular email address.
> I send email to secretary@, asking "Can you confirm that
> corresponds to a CLA signed by a person named Noah
> Slater?"
> The secretary says yes.
> I then feel that it's perfectly reasonable to sign a key that has two
> things in it: the name Noah Slater and,

In this scenario, you assume:
* that Noah's account is solely under his own control
* that your mail ping pong with secretary is secure
* that the ASF did verify Noah's identity correctly
* in general, that the whole infrastructure used in this process is secure (trust root, no
MITM, the usual stuff)

The PGP/GPG WoT is generally built upon assuring the identity of a real person (normally this
person's name is the name used in the key, but this is a point often discussed), and upon
doing this personally, i.e. not relying on the assumption that others have done it correctly!
It's *you* who is signing the key, stating that *you* can certify that this key belongs to
that person, and that the person is the one he/she claims to be. After all, other users on
the WoT will rely on this information.
Signing pseudonym keys is a special thing, see [1] for example. It is important to mention
that using a pseudonym doesn't mean that identity verification can't take place - these are
two different things.

> because if
> this process doesn't verify an adequate association, then no one can
> trust the Apache IP process, either, and which has the same signature
> as the one in SVN.

I don't remember what exactly I had to do, but AFAIR not as much that the ASF would be able
to sign my real-name-key based on this information. Sad but true.

> What am I missing here that would be improved by an in-person
> examination of his, oh, passport? A risk of some baroque MITM attack
> on Apache's svn server?
> It seems to me that this highlights a global issue with the WoT: how
> can I know the standards and level of care of every link in a chain of
> trust from me to some other person?
> None of this, of course, changes my concern that the average Apache
> user isn't connected, but if the argument is persuasive it should
> unleash a positive avalanche of key signing.

Of course, the WoT concept results in some effort for every participant. It's a decentralized
concept, and this is one of its disadvantages.

However, what would now be totally wrong IMO is, that some guys in the ASF redefine these
rules in order to make the process of release signing more simple. In the WoT big picture,
this would automatically mean that every key that is signed based on these weak rules would
have to be marked as marginally trusted (if at all) by people who want to really follow the
PGP/GPG WoT concept.

I think there are the following basic questions:
a) Which basic concept should be used at all? Is it a decentralized Web of Trust, or should
a hierarchical Apache CA be established for code signing purposes?
b) Should it be possible to contribute to ASF projects using a pseudonym, including code signing?

Assuming WoT for a), since there is probably no suiting manpower available for running a CA.

Assuming Yes for b) and proposing that there should be rules for pseudonym keys making it
possible to distinguish them from real name keys (for example "Superman (PSEUDONYM CODE SIGNING
KEY) <").

Furthermore proposing the following rules:
* signing keys MUST be included in the KEYS file in the svn repository
* signing keys SHOULD be signed by other ASF members and/or other people in order to integrate
the key into a WoT. However, signing MUST take place following commonly known rules when it
comes to verifying identity (TODO: maybe it's best to really specify these rules in detail,
like many people out there already do in the PGP/GPG sections of their personal web pages).
It's up to the key signer whether he wants to sign pseudonym keys (TODO: Which rules do apply
to verify identity in this case?).
* It's ok for unsigned keys to be used. In this case, a person verifying an artifact's signature
would be relying solely on the assumption that the Apache infrastructure isn't compromised.

My 2 cents so far.



To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message