[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: PROPOSAL: GPG Signing of Releases

From: John Peacock <jpeacock_at_rowman.com>
Date: 2004-04-13 20:08:33 CEST

Ben Reser wrote:
> You can still use the shared key without using the web of trust at all.
> Just as you would verify a release with a md5sum by checking multiple
> sources of the md5sum, you can check a key length/fingeprint.

Just as you can use the KEYS file to verify the fingerprint/length of any
individual developers key, even without buying into the web of trust, right?

> The difference is Apache's technique forces all users that want to use
> GPG to verify a release to buy into the web of trust. I don't believe
> this is a realistic requirement. That's not to say I have anything
> against the web of trust.

And that is the piece I am still missing then. How does the user establish
trust with the shared key without trusting one of the other keys that signed the
shared key? Again, a single F2F key exchange is required. It just winds up
being a degenerate form of the web of trust concept (single chain rather than

Are there significant numbers of people who object to the web of trust concept
that you are trying to satisfy? I think it is pretty innocuous that if I am
going to ask someone to meet me to establish their identity (so I could trust
their key) that I would do the same in return (i.e. join the web of trust).

I suspect that most people will ignore whatever key we signed the release with,
some people will continue use the MD5, a few will check the fingerprint of the
key, and only a relatively small number will go the full route of F2F meeting to
establish trust. For those last group, we should go to the easiest method which
would satisfy them; even you admit that using a shared key requires more careful
controls than multiple cross-signed developer keys.


John Peacock
Director of Information Research and Technology
Rowman & Littlefield Publishing Group
4720 Boston Way
Lanham, MD 20706
301-459-3366 x.5010
fax 301-429-5747
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Tue Apr 13 20:08:34 2004

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.