On Mon, Oct 8, 2012 at 4:53 PM, Benson Margulies <bimargul...@gmail.com>wrote:
> On Mon, Oct 8, 2012 at 11:43 AM, Marvin Humphrey <mar...@rectangular.com> > wrote: > >> ... > >> In this respect e-mail is just as secure, so why don't we all just sign > >> keys because someone claiming to be from from Chad sent us a mail asking > >> us for a signature? > >> > >> Really. > > > > Is it your position that this excerpt from the GnuPG docs is wrong? > > > > This may be done in person or over the phone or through any other > > means as long as you can guarantee that you are communicating with > > the key's true owner. > > > There's another side to this, which I would derisively label, 'so > what'? How does it help a user to see that my key is signed by 27 of > my fellow Apache contributors, if the user has never met any of us, > and has never met anyone who has met any of us, etc, etc. In other > words, the Web of Trust only helps users (very much) if they are > active participants, and likely to have trust links that reach ASF > release managers. > > In my opinion, that's vanishingly unlikely, and so the best we can do > is to allow users to verify that the signature was, in fact, made by > the 'Apache hat' that it claimed to be made by. Using the keys in > KEYS, or the fingerprints from LDAP, seems the best they can do. > Folks who care about the Gnu web of trust will probably be hooked back into the Linux committers network. There are definitely connections from their to the Apache community. Thus, if the Apache community becomes completely connected from a trust perspective, it is likely that there will be a short path back to anybody connected into the Linux community. I could be just such a link. I had my (non-Apache) key signed at Buzzwords last year and if I were to use that key for Apache work, we would have the requisite link.
