incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marvin Humphrey <>
Subject Re: key signing
Date Thu, 11 Oct 2012 18:46:23 GMT
On Wed, Oct 10, 2012 at 2:36 PM, Nick Kew <> wrote:
> On 10 Oct 2012, at 17:04, Marvin Humphrey wrote:
>> In my opinion, we have sufficient expertise here at the ASF to devise an
>> authentication protocol whose reliability exceeds that of individuals
>> participating unsupervised in a web of trust, particularly if the protocol
>> were to incorporate archived video and auditing by a PMC.
> That may be, but I don't think general@incubator is the place to develop it.

The Incubator is where the acute need exists, because we are bootstrapping
entire communities where no one is linked into the web of trust.

For existing projects, the longer they've been around, the more likely that a
significant number of committers have attended an ApacheCon key-signing party
or otherwise had an opportunity to get their keys signed.  But here, we see
new RMs all the time who are isolated.  It would be nice if we had some
systematic way of integrating them.

In the absence of a formal protocol, suggesting that new RMs go find someone
to sign their key is unsatisfying, since at least some of the time that's
likely to mean email contact alone and potentially a tenuous relationship to
the signer.  The alternative of suggesting that new RMs with a release VOTE
pending go find a local key-signing party to attend seems unrealistic.

In my opinion, general@incubator is an appropriate venue to explore ways in
which the system can be improved.  That will necessarily mean talking about
some implementation details because it would be silly to assess feasibility
otherwise, but please note that the proposed protocol was labeled a "rough
draft".  Maybe we can call it "sample" instead, implying the need to start
over later -- it doesn't matter to me.  I had always imagined that if the
protocol were to move forward it would undergo a process of relentless
scrutiny and refinement by interested parties outside the Incubator.

The payoff is that with a protocol in place which enables us to establish
identity to a high degree of certainty and add an individual to web of trust
on a short turnaround, the Incubator need not approve another release signed
by an RM who is not linked into the ASF web of trust.

> FWIW for myself I like to back WOT paths by checking manually,
> and feel best about it when I can identify a chain of trust involving only
> people I trust to be savvy enough not to sign keys willy-nilly.
> PGP/GPG support different levels of trust, so the model helps there.

The PR challenge is a separate question.  I will acknowlege that I have been
taken aback by the extreme skepticism in what I view as a straightforward
application of the principles of multi-factor authentication, faithful to
the spirit and letter of the GnuPG docs.

It pains me that the only outcome of this discussion may be that it gets even
harder to make an incubating release. :(

Marvin Humphrey

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message