On Fri, Mar 30, 2012 at 06:30, Noah Slater <[email protected]> wrote: > My key is signed by: > 85E0E79A 2011-10-19 Randall Leeds <[email protected]> > > I am actually a little confused why Randall has signed my key. He has never > met me, nor has he ever confirmed my identity, nor has he any assurances > that the key he signed is mine. Randal, maybe you should come to Dublin, > and you can make up for this faux pas? Dave, you need to do the same, if > you want to link our trust circles.
I would love to come to Dublin. I'd totally like to make it happen this year. For now, I'd love to talk about this in case its a good teaching moment. I'm relatively new to this and may be going about things in the wrong way. I have never met you. I may disagree that I have never confirmed your identity. Maybe I'm not sure what that actually means. Does it mean that you are called Noah Slater by some government authority? Do I care? I care that our release manager is the one signing our releases and the one calling our votes and that he owns the identity referenced by this key. I have several pieces of infrastructure and communication security (@apache.org email, repository access, IRC cloak, the web of trust with those I have met personally) that tell me this is probably the case as well as lots of online activity correlation that provides strong evidence that this is so. Therefore, I feel fairly confident stating that the actions of some person who is executing releases and signing code using this key are attributable to some Noah Slater who communicates using the associated email addresses and is an Apache CouchDB PMC member and release manager. But I think the rub is that trust and validity are different things. I do know, with 100% confidence, that the key I signed has been signing code releases. Whether it belongs to some particular Noah Slater who is *trusted* is a human call. More importantly, it's one that I did not, and perhaps should not, publicise without meeting you in person, though the reasons for this aren't totally clear. I locally trust you, but perhaps not enough to publish that trust without meeting you in person. To me, the faux pas is failing to recognise that a web of trust means that ***I do not need need to sign your key to lend weight to its trustworthiness*** because I have done so transitively by signing other, nearby keys. Some subtlety here, I think, escaped me for a time. I believe a (much more) serious faux pas would be if I had signed your key and it had contained a picture. Since I have not met you I cannot assert that you "look like <some picture>", but the assertions I have made seem relatively sound. Someone wanting to know whether a tarball they received was actually created by our release manager can trust me with that assertion (if they trust me at all). Please point out where I'm wrong, though. I think I've been publicly overly assertive, but not dangerously or recklessly so. You are mostly likely correct that I should not have signed your key, but I hope you agree with my assessment of the situation and can offer some insight as to what, exactly, I gain by meeting you in person. When I meet people in person and exchange keys, they usually ask to see my key fingerprint and check that it's the one their seeing. In other words, they verify that the key they're signing is the one I claim to own and they aren't being tricked by a MITM, but they don't actually make any other checks about who I am. They are communicating some notion of trust based on the social signals of the context of our meeting. "We met at this place, we talked about stuff, and this person seemed to be the person I associate with this key, so I 'trust' them." What does it mean to trust? It's totally human. Have I/they been doing it wrong? Thanks for bringing this up, Noah. Do not doubt that I thought hard about my decision to sign your key. I've also just reviewed the whole FAQ at https://www.apache.org/dev/release-signing and will subsequently be transitioning my key to a stronger one. I will, perhaps, refrain from publishing any key signings using that beyond those people I've personally met. -Randall
