incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marvin Humphrey <>
Subject Re: key signing
Date Wed, 10 Oct 2012 15:37:49 GMT
On Wed, Oct 10, 2012 at 7:19 AM, Nick Kew <> wrote:
> On 10 Oct 2012, at 12:20, Benson Margulies wrote:
>> Nick: On the one hand, how is trusting the Apache process better or
>> worse than trusting the State of Massachusetts?
> When I sign a key I'm basing it on more information than that.

Exactly -- certainty increases linearly the as the strength of any one factor
improves, but increases exponentially with the addition of multiple factors.


      amateur inspection of photo ID

Stronger, but depends on trust in third parties:

      amateur inspection of photo ID
    + third party testimonials

Stronger still:

      amateur inspection of photo ID
    + third party testimonials
    + permanent archived video (to discourage impersonation)
    + verification of Apache credentials

> Either it's a one-off, when I have additional knowledge of someone:
> e.g. a personal or working relationship.  Or it's a keysigning party,
> when I'm one of many.  In the latter case, if I'm signing keys at
> ApacheCon and someone I've never met identifies himself as
> Benson Margulies, I have not only the passport but a room full
> of Apache folks - some of whom surely know Benson Margulies
> well - to reassure me.

Protocols for key signing parties can be quite elaborate to ensure that each
participant provides multiple factors:

Marvin Humphrey

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message