On 10 Oct 2012, at 11:25, Benson Margulies wrote: > I then feel that it's perfectly reasonable to sign a key that has two > things in it: the name Noah Slater and nsla...@apache.org, because if > this process doesn't verify an adequate association, then no one can > trust the Apache IP process, either, and which has the same signature > as the one in SVN.
The apache process is satisfied with his identity. The apache process says so by publishing the key under his name at apache.org, thus establishing a certain level of trust. That most certainly doesn't mean I should sign the key: for me to do so based on hearsay (my own trust not in his key but in the apache process) just muddies the waters. The missing link is my ability to formalise my WoT level of trust (whatever it might be) in the apache process by signing a key labelled something like "ASF committer enrolment process" which in turn automatically signs everyone's keys. Were it not for the risk of rather serious misunderstanding, I should advocate such a key. -- Nick Kew --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org