A different angle. Noah asks me to sign his key.
Noah tells me that he's committed it to KEYS for CloudStack in svn revision 314159. I examine that revision and see that it was made by, indeed, noah's Apache ID, which is associated with a particular email address. I send email to secretary@, asking "Can you confirm that nsla...@apache.org corresponds to a CLA signed by a person named Noah Slater?" The secretary says yes. I then feel that it's perfectly reasonable to sign a key that has two things in it: the name Noah Slater and nsla...@apache.org, because if this process doesn't verify an adequate association, then no one can trust the Apache IP process, either, and which has the same signature as the one in SVN. What am I missing here that would be improved by an in-person examination of his, oh, passport? A risk of some baroque MITM attack on Apache's svn server? It seems to me that this highlights a global issue with the WoT: how can I know the standards and level of care of every link in a chain of trust from me to some other person? None of this, of course, changes my concern that the average Apache user isn't connected, but if the argument is persuasive it should unleash a positive avalanche of key signing. --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
