On Key Signing (was Re: [VOTE] Apache CouchDB 1.2.0 release, fifth round)

[Randall Leeds <ra...@gmail.com>]

On Fri, Mar 30, 2012 at 06:30, Noah Slater <ns...@tumbolia.org> wrote:
> My key is signed by:
> 85E0E79A 2011-10-19  Randall Leeds <ra...@apache.org>
>
> I am actually a little confused why Randall has signed my key. He has never
> met me, nor has he ever confirmed my identity, nor has he any assurances
> that the key he signed is mine. Randal, maybe you should come to Dublin,
> and you can make up for this faux pas? Dave, you need to do the same, if
> you want to link our trust circles.

I would love to come to Dublin. I'd totally like to make it happen
this year. For now, I'd love to talk about this in case its a good
teaching moment. I'm relatively new to this and may be going about
things in the wrong way.

I have never met you. I may disagree that I have never confirmed your
identity. Maybe I'm not sure what that actually means. Does it mean
that you are called Noah Slater by some government authority? Do I
care? I care that our release manager is the one signing our releases
and the one calling our votes and that he owns the identity referenced
by this key. I have several pieces of infrastructure and communication
security (@apache.org email, repository access, IRC cloak, the web of
trust with those I have met personally) that tell me this is probably
the case as well as lots of online activity correlation that provides
strong evidence that this is so.

Therefore, I feel fairly confident stating that the actions of some
person who is executing releases and signing code using this key are
attributable to some Noah Slater who communicates using the associated
email addresses and is an Apache CouchDB PMC member and release
manager.

But I think the rub is that trust and validity are different things. I
do know, with 100% confidence, that the key I signed has been signing
code releases. Whether it belongs to some particular Noah Slater who
is *trusted* is a human call. More importantly, it's one that I did
not, and perhaps should not, publicise without meeting you in person,
though the reasons for this aren't totally clear. I locally trust you,
but perhaps not enough to publish that trust without meeting you in
person. To me, the faux pas is failing to recognise that a web of
trust means that ***I do not need need to sign your key to lend weight
to its trustworthiness*** because I have done so transitively by
signing other, nearby keys. Some subtlety here, I think, escaped me
for a time.

I believe a (much more) serious faux pas would be if I had signed your
key and it had contained a picture. Since I have not met you I cannot
assert that you "look like <some picture>", but the assertions I have
made seem relatively sound. Someone wanting to know whether a tarball
they received was actually created by our release manager can trust me
with that assertion (if they trust me at all). Please point out where
I'm wrong, though. I think I've been publicly overly assertive, but
not dangerously or recklessly so. You are mostly likely correct that I
should not have signed your key, but I hope you agree with my
assessment of the situation and can offer some insight as to what,
exactly, I gain by meeting you in person.

When I meet people in person and exchange keys, they usually ask to
see my key fingerprint and check that it's the one their seeing. In
other words, they verify that the key they're signing is the one I
claim to own and they aren't being tricked by a MITM, but they don't
actually make any other checks about who I am. They are communicating
some notion of trust based on the social signals of the context of our
meeting. "We met at this place, we talked about stuff, and this person
seemed to be the person I associate with this key, so I 'trust' them."
What does it mean to trust? It's totally human. Have I/they been doing
it wrong?

Thanks for bringing this up, Noah. Do not doubt that I thought hard
about my decision to sign your key. I've also just reviewed the whole
FAQ at https://www.apache.org/dev/release-signing and will
subsequently be transitioning my key to a stronger one. I will,
perhaps, refrain from publishing any key signings using that beyond
those people I've personally met.

-Randall

Re: On Key Signing (was Re: [VOTE] Apache CouchDB 1.2.0 release, fifth round)

[Randall Leeds <ra...@gmail.com>]

On Fri, Mar 30, 2012 at 15:41, Randall Leeds <ra...@gmail.com> wrote:
> On Fri, Mar 30, 2012 at 15:15, Randall Leeds <ra...@gmail.com> wrote:
>> On Fri, Mar 30, 2012 at 06:30, Noah Slater <ns...@tumbolia.org> wrote:
>>> My key is signed by:
>>> 85E0E79A 2011-10-19  Randall Leeds <ra...@apache.org>
>>>
>> not dangerously or recklessly so. You are mostly likely correct that I
>> should not have signed your key, but I hope you agree with my
>> assessment of the situation and can offer some insight as to what,
>> exactly, I gain by meeting you in person.
>
> I'm wondering if I can answer my own question here. I have a feeling
> it has to do with legal liability for releasing software on behalf of
> the ASF. In that case, having some confidence that you not only own
> your email addresses but also your face and person who is also a legal
> citizen that can be held accountable for misbehaving seems prudent.
> Basically, I'm rejecting the notion that PGP demands we meet in person
> in order to trust each other's identities, but admitting that perhaps
> the needs of the ASF demand that I not trust you to sign code unless I
> verify that you are a legal person that can be held accountable for
> misdeeds.
>
> My crime, then, was against the ASF, not the web of trust at large. Perhaps?
> I'll see about revoking just that signature, if it's possible.

I've published a revocation. I'll note that I noticed I had signed it
with trust level 'unknown'. If my understanding is correct, that means
I asserted only the validity but said nothing of the trustworthiness.
If that's the case, I think I may not have done anything wrong at all!
Strange that no one pointed out this distinction to me in the past.
All of the keys I've signed are signed this way.

Re: On Key Signing (was Re: [VOTE] Apache CouchDB 1.2.0 release, fifth round)

[Randall Leeds <ra...@gmail.com>]

On Fri, Mar 30, 2012 at 15:15, Randall Leeds <ra...@gmail.com> wrote:
> On Fri, Mar 30, 2012 at 06:30, Noah Slater <ns...@tumbolia.org> wrote:
>> My key is signed by:
>> 85E0E79A 2011-10-19  Randall Leeds <ra...@apache.org>
>>
> not dangerously or recklessly so. You are mostly likely correct that I
> should not have signed your key, but I hope you agree with my
> assessment of the situation and can offer some insight as to what,
> exactly, I gain by meeting you in person.

I'm wondering if I can answer my own question here. I have a feeling
it has to do with legal liability for releasing software on behalf of
the ASF. In that case, having some confidence that you not only own
your email addresses but also your face and person who is also a legal
citizen that can be held accountable for misbehaving seems prudent.
Basically, I'm rejecting the notion that PGP demands we meet in person
in order to trust each other's identities, but admitting that perhaps
the needs of the ASF demand that I not trust you to sign code unless I
verify that you are a legal person that can be held accountable for
misdeeds.

My crime, then, was against the ASF, not the web of trust at large. Perhaps?
I'll see about revoking just that signature, if it's possible.

-R

>
> When I meet people in person and exchange keys, they usually ask to
> see my key fingerprint and check that it's the one their seeing. In
> other words, they verify that the key they're signing is the one I
> claim to own and they aren't being tricked by a MITM, but they don't
> actually make any other checks about who I am. They are communicating
> some notion of trust based on the social signals of the context of our
> meeting. "We met at this place, we talked about stuff, and this person
> seemed to be the person I associate with this key, so I 'trust' them."
> What does it mean to trust? It's totally human. Have I/they been doing
> it wrong?
>
> Thanks for bringing this up, Noah. Do not doubt that I thought hard
> about my decision to sign your key. I've also just reviewed the whole
> FAQ at https://www.apache.org/dev/release-signing and will
> subsequently be transitioning my key to a stronger one. I will,
> perhaps, refrain from publishing any key signings using that beyond
> those people I've personally met.
>
> -Randall

Re: On Key Signing (was Re: [VOTE] Apache CouchDB 1.2.0 release, fifth round)

[Noah Slater <ns...@tumbolia.org>]

GnuPG isn't free? What?

On Sat, Mar 31, 2012 at 6:22 PM, Benoit Chesneau <bc...@gmail.com>wrote:

> On Fri, Mar 30, 2012 at 6:24 PM, Paul Davis <pa...@gmail.com>
> wrote:
> > In related news, everyone traveling to Boston should bring their PGP key
> hash and a photo I'd and then we can have a key signing jamboree.
> >
> > http://xkcd.com/364/
> >
> >
>
> I didn't find any free implementation of PGP (gpg isn't) , is my SSL
> key valid ?
>
> - benoit
>

Re: On Key Signing (was Re: [VOTE] Apache CouchDB 1.2.0 release, fifth round)

[Benoit Chesneau <bc...@gmail.com>]

On Sat, Mar 31, 2012 at 7:22 PM, Benoit Chesneau <bc...@gmail.com> wrote:
> On Fri, Mar 30, 2012 at 6:24 PM, Paul Davis <pa...@gmail.com> wrote:
>> In related news, everyone traveling to Boston should bring their PGP key hash and a photo I'd and then we can have a key signing jamboree.
>>
>> http://xkcd.com/364/
>>
>>
>
> I didn't find any free implementation of PGP (gpg isn't) , is my SSL
> key valid ?
>
> - benoit

and this is a valid concern ^^. Why we don't simply use SSL ?

- benoit

Re: On Key Signing (was Re: [VOTE] Apache CouchDB 1.2.0 release, fifth round)

[Benoit Chesneau <bc...@gmail.com>]

On Fri, Mar 30, 2012 at 6:24 PM, Paul Davis <pa...@gmail.com> wrote:
> In related news, everyone traveling to Boston should bring their PGP key hash and a photo I'd and then we can have a key signing jamboree.
>
> http://xkcd.com/364/
>
>

I didn't find any free implementation of PGP (gpg isn't) , is my SSL
key valid ?

- benoit

Re: On Key Signing (was Re: [VOTE] Apache CouchDB 1.2.0 release, fifth round)

[Paul Davis <pa...@gmail.com>]

In related news, everyone traveling to Boston should bring their PGP key hash and a photo I'd and then we can have a key signing jamboree.

http://xkcd.com/364/



On Mar 30, 2012, at 7:23 PM, Jason Smith <jh...@iriscouch.com> wrote:

> You are not confirming that somebody is who he says he is. You are
> simply confirming that he bears the key that he says he has. The
> latter is a much simpler problem.
> 
> On Sat, Mar 31, 2012 at 5:15 AM, Randall Leeds <ra...@gmail.com> wrote:
>> On Fri, Mar 30, 2012 at 06:30, Noah Slater <ns...@tumbolia.org> wrote:
>>> My key is signed by:
>>> 85E0E79A 2011-10-19  Randall Leeds <ra...@apache.org>
>>> 
>>> I am actually a little confused why Randall has signed my key. He has never
>>> met me, nor has he ever confirmed my identity, nor has he any assurances
>>> that the key he signed is mine. Randal, maybe you should come to Dublin,
>>> and you can make up for this faux pas? Dave, you need to do the same, if
>>> you want to link our trust circles.
>> 
>> I would love to come to Dublin. I'd totally like to make it happen
>> this year. For now, I'd love to talk about this in case its a good
>> teaching moment. I'm relatively new to this and may be going about
>> things in the wrong way.
>> 
>> I have never met you. I may disagree that I have never confirmed your
>> identity. Maybe I'm not sure what that actually means. Does it mean
>> that you are called Noah Slater by some government authority? Do I
>> care? I care that our release manager is the one signing our releases
>> and the one calling our votes and that he owns the identity referenced
>> by this key. I have several pieces of infrastructure and communication
>> security (@apache.org email, repository access, IRC cloak, the web of
>> trust with those I have met personally) that tell me this is probably
>> the case as well as lots of online activity correlation that provides
>> strong evidence that this is so.
>> 
>> Therefore, I feel fairly confident stating that the actions of some
>> person who is executing releases and signing code using this key are
>> attributable to some Noah Slater who communicates using the associated
>> email addresses and is an Apache CouchDB PMC member and release
>> manager.
>> 
>> But I think the rub is that trust and validity are different things. I
>> do know, with 100% confidence, that the key I signed has been signing
>> code releases. Whether it belongs to some particular Noah Slater who
>> is *trusted* is a human call. More importantly, it's one that I did
>> not, and perhaps should not, publicise without meeting you in person,
>> though the reasons for this aren't totally clear. I locally trust you,
>> but perhaps not enough to publish that trust without meeting you in
>> person. To me, the faux pas is failing to recognise that a web of
>> trust means that ***I do not need need to sign your key to lend weight
>> to its trustworthiness*** because I have done so transitively by
>> signing other, nearby keys. Some subtlety here, I think, escaped me
>> for a time.
>> 
>> I believe a (much more) serious faux pas would be if I had signed your
>> key and it had contained a picture. Since I have not met you I cannot
>> assert that you "look like <some picture>", but the assertions I have
>> made seem relatively sound. Someone wanting to know whether a tarball
>> they received was actually created by our release manager can trust me
>> with that assertion (if they trust me at all). Please point out where
>> I'm wrong, though. I think I've been publicly overly assertive, but
>> not dangerously or recklessly so. You are mostly likely correct that I
>> should not have signed your key, but I hope you agree with my
>> assessment of the situation and can offer some insight as to what,
>> exactly, I gain by meeting you in person.
>> 
>> When I meet people in person and exchange keys, they usually ask to
>> see my key fingerprint and check that it's the one their seeing. In
>> other words, they verify that the key they're signing is the one I
>> claim to own and they aren't being tricked by a MITM, but they don't
>> actually make any other checks about who I am. They are communicating
>> some notion of trust based on the social signals of the context of our
>> meeting. "We met at this place, we talked about stuff, and this person
>> seemed to be the person I associate with this key, so I 'trust' them."
>> What does it mean to trust? It's totally human. Have I/they been doing
>> it wrong?
>> 
>> Thanks for bringing this up, Noah. Do not doubt that I thought hard
>> about my decision to sign your key. I've also just reviewed the whole
>> FAQ at https://www.apache.org/dev/release-signing and will
>> subsequently be transitioning my key to a stronger one. I will,
>> perhaps, refrain from publishing any key signings using that beyond
>> those people I've personally met.
>> 
>> -Randall
> 
> 
> 
> -- 
> Iris Couch

Re: On Key Signing (was Re: [VOTE] Apache CouchDB 1.2.0 release, fifth round)

[Randall Leeds <ra...@gmail.com>]

On Tue, Apr 3, 2012 at 14:19, Noah Slater <ns...@tumbolia.org> wrote:
> Randall,
>
> You are free to use whatever system you want to use in determining what
> keys to sign. All I am doing is pointing out what is common, and what is
> commonly frowned upon. A standard baseline is that you have a) met the
> person, 2) seen a photo ID, and d) verified cryptographically that
> they control the private key. The last step is usually done through
> exchanging signatures after the key party.

Thanks.

Re: On Key Signing (was Re: [VOTE] Apache CouchDB 1.2.0 release, fifth round)

[Noah Slater <ns...@tumbolia.org>]

Randall,

You are free to use whatever system you want to use in determining what
keys to sign. All I am doing is pointing out what is common, and what is
commonly frowned upon. A standard baseline is that you have a) met the
person, 2) seen a photo ID, and d) verified cryptographically that
they control the private key. The last step is usually done through
exchanging signatures after the key party.

On Sat, Mar 31, 2012 at 6:23 AM, Randall Leeds <ra...@gmail.com>wrote:

> On Fri, Mar 30, 2012 at 17:23, Jason Smith <jh...@iriscouch.com> wrote:
> > You are not confirming that somebody is who he says he is. You are
> > simply confirming that he bears the key that he says he has. The
> > latter is a much simpler problem.
>
> That's precisely my point. I have a giant stack of evidence that says
> Noah bears this key.
>
> Also related to my anecdote about signing parties I've experienced,
> wherein nobody asks me to prove that I own the private key, I'll note
> it's sort of unnecessary. Signing *their* keys and publishing that
> demonstrates that I own the private keys corresponding to my identity
> of my signature. But for that first signature with an unconnected
> other, it seems like the "right" thing has nothing to do with driver's
> licenses or photo ID, but everything to do with exchanging a signed
> message over a secure channel, which is slightly more than "hey, the
> fingerprints on our screens match", which just says that you're
> talking about the same key (whose owner may or may not be present).
>

Re: On Key Signing (was Re: [VOTE] Apache CouchDB 1.2.0 release, fifth round)

[Randall Leeds <ra...@gmail.com>]

On Fri, Mar 30, 2012 at 17:23, Jason Smith <jh...@iriscouch.com> wrote:
> You are not confirming that somebody is who he says he is. You are
> simply confirming that he bears the key that he says he has. The
> latter is a much simpler problem.

That's precisely my point. I have a giant stack of evidence that says
Noah bears this key.

Also related to my anecdote about signing parties I've experienced,
wherein nobody asks me to prove that I own the private key, I'll note
it's sort of unnecessary. Signing *their* keys and publishing that
demonstrates that I own the private keys corresponding to my identity
of my signature. But for that first signature with an unconnected
other, it seems like the "right" thing has nothing to do with driver's
licenses or photo ID, but everything to do with exchanging a signed
message over a secure channel, which is slightly more than "hey, the
fingerprints on our screens match", which just says that you're
talking about the same key (whose owner may or may not be present).

Re: On Key Signing (was Re: [VOTE] Apache CouchDB 1.2.0 release, fifth round)

[Jason Smith <jh...@iriscouch.com>]

You are not confirming that somebody is who he says he is. You are
simply confirming that he bears the key that he says he has. The
latter is a much simpler problem.

On Sat, Mar 31, 2012 at 5:15 AM, Randall Leeds <ra...@gmail.com> wrote:
> On Fri, Mar 30, 2012 at 06:30, Noah Slater <ns...@tumbolia.org> wrote:
>> My key is signed by:
>> 85E0E79A 2011-10-19  Randall Leeds <ra...@apache.org>
>>
>> I am actually a little confused why Randall has signed my key. He has never
>> met me, nor has he ever confirmed my identity, nor has he any assurances
>> that the key he signed is mine. Randal, maybe you should come to Dublin,
>> and you can make up for this faux pas? Dave, you need to do the same, if
>> you want to link our trust circles.
>
> I would love to come to Dublin. I'd totally like to make it happen
> this year. For now, I'd love to talk about this in case its a good
> teaching moment. I'm relatively new to this and may be going about
> things in the wrong way.
>
> I have never met you. I may disagree that I have never confirmed your
> identity. Maybe I'm not sure what that actually means. Does it mean
> that you are called Noah Slater by some government authority? Do I
> care? I care that our release manager is the one signing our releases
> and the one calling our votes and that he owns the identity referenced
> by this key. I have several pieces of infrastructure and communication
> security (@apache.org email, repository access, IRC cloak, the web of
> trust with those I have met personally) that tell me this is probably
> the case as well as lots of online activity correlation that provides
> strong evidence that this is so.
>
> Therefore, I feel fairly confident stating that the actions of some
> person who is executing releases and signing code using this key are
> attributable to some Noah Slater who communicates using the associated
> email addresses and is an Apache CouchDB PMC member and release
> manager.
>
> But I think the rub is that trust and validity are different things. I
> do know, with 100% confidence, that the key I signed has been signing
> code releases. Whether it belongs to some particular Noah Slater who
> is *trusted* is a human call. More importantly, it's one that I did
> not, and perhaps should not, publicise without meeting you in person,
> though the reasons for this aren't totally clear. I locally trust you,
> but perhaps not enough to publish that trust without meeting you in
> person. To me, the faux pas is failing to recognise that a web of
> trust means that ***I do not need need to sign your key to lend weight
> to its trustworthiness*** because I have done so transitively by
> signing other, nearby keys. Some subtlety here, I think, escaped me
> for a time.
>
> I believe a (much more) serious faux pas would be if I had signed your
> key and it had contained a picture. Since I have not met you I cannot
> assert that you "look like <some picture>", but the assertions I have
> made seem relatively sound. Someone wanting to know whether a tarball
> they received was actually created by our release manager can trust me
> with that assertion (if they trust me at all). Please point out where
> I'm wrong, though. I think I've been publicly overly assertive, but
> not dangerously or recklessly so. You are mostly likely correct that I
> should not have signed your key, but I hope you agree with my
> assessment of the situation and can offer some insight as to what,
> exactly, I gain by meeting you in person.
>
> When I meet people in person and exchange keys, they usually ask to
> see my key fingerprint and check that it's the one their seeing. In
> other words, they verify that the key they're signing is the one I
> claim to own and they aren't being tricked by a MITM, but they don't
> actually make any other checks about who I am. They are communicating
> some notion of trust based on the social signals of the context of our
> meeting. "We met at this place, we talked about stuff, and this person
> seemed to be the person I associate with this key, so I 'trust' them."
> What does it mean to trust? It's totally human. Have I/they been doing
> it wrong?
>
> Thanks for bringing this up, Noah. Do not doubt that I thought hard
> about my decision to sign your key. I've also just reviewed the whole
> FAQ at https://www.apache.org/dev/release-signing and will
> subsequently be transitioning my key to a stronger one. I will,
> perhaps, refrain from publishing any key signings using that beyond
> those people I've personally met.
>
> -Randall



-- 
Iris Couch