incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Benson Margulies <>
Subject Re: key signing
Date Wed, 10 Oct 2012 10:25:19 GMT
A different angle.

Noah asks me to sign his key.

Noah tells me that he's committed it to KEYS for CloudStack in svn
revision 314159.

I examine that revision and see that it was made by, indeed, noah's
Apache ID, which is associated with a particular email address.

I send email to secretary@, asking "Can you confirm that corresponds to a CLA signed by a person named Noah

The secretary says yes.

I then feel that it's perfectly reasonable to sign a key that has two
things in it: the name Noah Slater and, because if
this process doesn't verify an adequate association, then no one can
trust the Apache IP process, either, and which has the same signature
as the one in SVN.

What am I missing here that would be improved by an in-person
examination of his, oh, passport? A risk of some baroque MITM attack
on Apache's svn server?

It seems to me that this highlights a global issue with the WoT: how
can I know the standards and level of care of every link in a chain of
trust from me to some other person?

None of this, of course, changes my concern that the average Apache
user isn't connected, but if the argument is persuasive it should
unleash a positive avalanche of key signing.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message