@Marvin, Can you say more about Multi-factor? I know commonly-claimed schemes involve the same factor multiple times (e.g., more things that a party knows, like Aunt Gracie's dress size). I agree that confirming a picture ID (something the individual has) is another factor. What other factors are you thinking of? (I am not sure how many factors signings by others count as new factors.)
- Dennis -----Original Message----- From: Marvin Humphrey [mailto:mar...@rectangular.com] Sent: Thursday, October 11, 2012 11:46 To: general@incubator.apache.org Subject: Re: key signing On Wed, Oct 10, 2012 at 2:36 PM, Nick Kew <n...@apache.org> wrote: > On 10 Oct 2012, at 17:04, Marvin Humphrey wrote: > >> In my opinion, we have sufficient expertise here at the ASF to devise an >> authentication protocol whose reliability exceeds that of individuals >> participating unsupervised in a web of trust, particularly if the protocol >> were to incorporate archived video and auditing by a PMC. > > That may be, but I don't think general@incubator is the place to develop it. The Incubator is where the acute need exists, because we are bootstrapping entire communities where no one is linked into the web of trust. For existing projects, the longer they've been around, the more likely that a significant number of committers have attended an ApacheCon key-signing party or otherwise had an opportunity to get their keys signed. But here, we see new RMs all the time who are isolated. It would be nice if we had some systematic way of integrating them. In the absence of a formal protocol, suggesting that new RMs go find someone to sign their key is unsatisfying, since at least some of the time that's likely to mean email contact alone and potentially a tenuous relationship to the signer. The alternative of suggesting that new RMs with a release VOTE pending go find a local key-signing party to attend seems unrealistic. In my opinion, general@incubator is an appropriate venue to explore ways in which the system can be improved. That will necessarily mean talking about some implementation details because it would be silly to assess feasibility otherwise, but please note that the proposed protocol was labeled a "rough draft". Maybe we can call it "sample" instead, implying the need to start over later -- it doesn't matter to me. I had always imagined that if the protocol were to move forward it would undergo a process of relentless scrutiny and refinement by interested parties outside the Incubator. The payoff is that with a protocol in place which enables us to establish identity to a high degree of certainty and add an individual to web of trust on a short turnaround, the Incubator need not approve another release signed by an RM who is not linked into the ASF web of trust. > FWIW for myself I like to back WOT paths by checking manually, > and feel best about it when I can identify a chain of trust involving only > people I trust to be savvy enough not to sign keys willy-nilly. > PGP/GPG support different levels of trust, so the model helps there. The PR challenge is a separate question. I will acknowlege that I have been taken aback by the extreme skepticism in what I view as a straightforward application of the principles of multi-factor authentication, faithful to the spirit and letter of the GnuPG docs. It pains me that the only outcome of this discussion may be that it gets even harder to make an incubating release. :( Marvin Humphrey --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
