incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Benson Margulies <>
Subject Re: key signing
Date Wed, 10 Oct 2012 11:20:05 GMT
On Wed, Oct 10, 2012 at 6:52 AM, Nick Kew <> wrote:
> On 10 Oct 2012, at 11:25, Benson Margulies wrote:
>> I then feel that it's perfectly reasonable to sign a key that has two
>> things in it: the name Noah Slater and, because if
>> this process doesn't verify an adequate association, then no one can
>> trust the Apache IP process, either, and which has the same signature
>> as the one in SVN.
> The apache process is satisfied with his identity.  The apache process
> says so by publishing the key under his name at, thus
> establishing a certain level of trust.
> That most certainly doesn't mean I should sign the key: for me to do
> so based on hearsay (my own trust not in his key but in the apache
> process) just muddies the waters.

Nick: On the one hand, how is trusting the Apache process better or
worse than trusting the State of Massachusetts? Both offer an
assertion of a relationship between someone and a legal identity. In
the state of MA case, I'm matching a face to a piece of (forgeable)
plastic. In the Apache case, I'm matching an email to the Apache
process. In both cases, I could be the subject of a fraud: someone I
'know' via mailing list interactions shows up in person, shows me a
driver's license, and satisfies me that he or she is the same person I
'know' online. Enter the mole.

If the answer to this is that WoT is supposed to be based on some
level of 'real personal trust' (the opposite, after a fashion, of a
'Facebook Friend'), then I shouldn't sign keys at signing parties,
since there's just about no one at Apache whom I know well enough to
meet the standard. And I feel reinforced in my original urge to write
web pages around here that put the Apache process above the WoT.
Ironically, I could argue that we'd be better-served with X.509 certs.
An Apache CA could be programmed to issue a cert to each committer.
Users would just verify the source CA, and we'd accomplish the goal of
giving users assurance.

> The missing link is my ability to formalise my WoT level of trust
> (whatever it might be) in the apache process by signing a key
> labelled something like "ASF committer enrolment process" which
> in turn automatically signs everyone's keys.  Were it not for the risk
> of rather serious misunderstanding, I should advocate such a key.
> --
> Nick Kew
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message