Hi Andreas, * Andreas J. Koenig <[EMAIL PROTECTED]> [2006-07-07 08:35]: > By the way, I liked your summary of the situation in your > posting <[EMAIL PROTECTED]> and I wonder how we > could promote the web of trust on CPAN which clearly is the > only way forward. > > Maybe we need a perlish kind of building it. It's not perlish > to show each other a passport and make sure that the image > there matches the face.
hmm, I don’t know how else you’d do it; at least for high confidence, you really have to be absolutely sure that you’re signing the key of the person who is who they’re claiming to be, and there isn’t much opportunity to be completely certain in online interactions. 1. If you ask CPAN contributors to supply their PK *at signup time* (but no later!), you can be certain that the key belongs to the person who signed up – whoever that is. (Keys uploaded later do not confer the same trust, because that key might belong to the person who signed up, or it might belong to an impostor who stole their credentials – you can’t know.) These could be signed with an extra CPAN key that confers more trust. 2. The best opportunity for strong trust is probably the fact that a lot of the really active Perl hackers run into each other face-to-face quite a bit; e.g. the London.pm’ers should have absolutely no trouble exchanging keys face-to-face, but the same is true of many Perlmongers groups. Likewise, many of the core contributors of Perl attend the pertinent conferences (YAPC, OSCON et al). And of course the meaning of “web of trust” is that once direct trust relationships have been established in local groups where they are easily feasible, then every time someone travels around or goes to a confidence and exchanges keys, you get “six degrees of separation” style trust chains. If we decided to make a big awareness push, we’d probably get the prolific CPAN contributors covered well very quickly, and then it’s a matter of continual evangelism to keep the web expanding. It is easy to implement #1 immediatly, but coverage will take a very long time to go up with that method because it will only apply to new authors. In contrast, coverage should expand pretty quickly with #2, but it will take a lot of community cooperation and lots of evangelism to implement. Regards, -- Aristotle Pagaltzis // <http://plasmasturm.org/>
