You are not confirming that somebody is who he says he is. You are simply confirming that he bears the key that he says he has. The latter is a much simpler problem.
On Sat, Mar 31, 2012 at 5:15 AM, Randall Leeds <[email protected]> wrote: > On Fri, Mar 30, 2012 at 06:30, Noah Slater <[email protected]> wrote: >> My key is signed by: >> 85E0E79A 2011-10-19 Randall Leeds <[email protected]> >> >> I am actually a little confused why Randall has signed my key. He has never >> met me, nor has he ever confirmed my identity, nor has he any assurances >> that the key he signed is mine. Randal, maybe you should come to Dublin, >> and you can make up for this faux pas? Dave, you need to do the same, if >> you want to link our trust circles. > > I would love to come to Dublin. I'd totally like to make it happen > this year. For now, I'd love to talk about this in case its a good > teaching moment. I'm relatively new to this and may be going about > things in the wrong way. > > I have never met you. I may disagree that I have never confirmed your > identity. Maybe I'm not sure what that actually means. Does it mean > that you are called Noah Slater by some government authority? Do I > care? I care that our release manager is the one signing our releases > and the one calling our votes and that he owns the identity referenced > by this key. I have several pieces of infrastructure and communication > security (@apache.org email, repository access, IRC cloak, the web of > trust with those I have met personally) that tell me this is probably > the case as well as lots of online activity correlation that provides > strong evidence that this is so. > > Therefore, I feel fairly confident stating that the actions of some > person who is executing releases and signing code using this key are > attributable to some Noah Slater who communicates using the associated > email addresses and is an Apache CouchDB PMC member and release > manager. > > But I think the rub is that trust and validity are different things. I > do know, with 100% confidence, that the key I signed has been signing > code releases. Whether it belongs to some particular Noah Slater who > is *trusted* is a human call. More importantly, it's one that I did > not, and perhaps should not, publicise without meeting you in person, > though the reasons for this aren't totally clear. I locally trust you, > but perhaps not enough to publish that trust without meeting you in > person. To me, the faux pas is failing to recognise that a web of > trust means that ***I do not need need to sign your key to lend weight > to its trustworthiness*** because I have done so transitively by > signing other, nearby keys. Some subtlety here, I think, escaped me > for a time. > > I believe a (much more) serious faux pas would be if I had signed your > key and it had contained a picture. Since I have not met you I cannot > assert that you "look like <some picture>", but the assertions I have > made seem relatively sound. Someone wanting to know whether a tarball > they received was actually created by our release manager can trust me > with that assertion (if they trust me at all). Please point out where > I'm wrong, though. I think I've been publicly overly assertive, but > not dangerously or recklessly so. You are mostly likely correct that I > should not have signed your key, but I hope you agree with my > assessment of the situation and can offer some insight as to what, > exactly, I gain by meeting you in person. > > When I meet people in person and exchange keys, they usually ask to > see my key fingerprint and check that it's the one their seeing. In > other words, they verify that the key they're signing is the one I > claim to own and they aren't being tricked by a MITM, but they don't > actually make any other checks about who I am. They are communicating > some notion of trust based on the social signals of the context of our > meeting. "We met at this place, we talked about stuff, and this person > seemed to be the person I associate with this key, so I 'trust' them." > What does it mean to trust? It's totally human. Have I/they been doing > it wrong? > > Thanks for bringing this up, Noah. Do not doubt that I thought hard > about my decision to sign your key. I've also just reviewed the whole > FAQ at https://www.apache.org/dev/release-signing and will > subsequently be transitioning my key to a stronger one. I will, > perhaps, refrain from publishing any key signings using that beyond > those people I've personally met. > > -Randall -- Iris Couch
