On Mon, Oct 8, 2012 at 11:43 AM, Marvin Humphrey <mar...@rectangular.com> wrote: > On Mon, Oct 8, 2012 at 7:36 AM, Branko Čibej <br...@apache.org> wrote: >> What guarantee do you have that a particular Skype ID is whoever you >> think it is? None at all, unless the person involved looked at your >> Skype contact list and said, yeah, that's me. Likewise for Google >> Hangout. As long as they're doing that, they might as well verify the >> signature fingerprint in your PGP keyring. >> >> In this respect e-mail is just as secure, so why don't we all just sign >> keys because someone claiming to be from from Chad sent us a mail asking >> us for a signature? >> >> Really. > > Is it your position that this excerpt from the GnuPG docs is wrong? > > This may be done in person or over the phone or through any other > means as long as you can guarantee that you are communicating with > the key's true owner.
There's another side to this, which I would derisively label, 'so what'? How does it help a user to see that my key is signed by 27 of my fellow Apache contributors, if the user has never met any of us, and has never met anyone who has met any of us, etc, etc. In other words, the Web of Trust only helps users (very much) if they are active participants, and likely to have trust links that reach ASF release managers. In my opinion, that's vanishingly unlikely, and so the best we can do is to allow users to verify that the signature was, in fact, made by the 'Apache hat' that it claimed to be made by. Using the keys in KEYS, or the fingerprints from LDAP, seems the best they can do. > > Marvin Humphr > > --------------------------------------------------------------------- > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > For additional commands, e-mail: general-h...@incubator.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
