Hi Marvin, > On Wed, Oct 10, 2012 at 8:11 AM, Florian Holeczek <flor...@holeczek.de> wrote: >> However, what would now be totally wrong IMO is, that some guys in the ASF >> redefine these rules in order to make the process of release signing more >> simple. In the WoT big picture, this would automatically mean that every key >> that is signed based on these weak rules would have to be marked as >> marginally trusted (if at all) by people who want to really follow the >> PGP/GPG WoT concept. > > In my opinion, we have sufficient expertise here at the ASF to devise an > authentication protocol whose reliability exceeds that of individuals > participating unsupervised in a web of trust, particularly if the protocol > were to incorporate archived video and auditing by a PMC.
that may well be. Having read most of the mails on this thread, I was kind of shocked by how carelessly some would sign a key though, too, and that's what I meant by weak rules. Defining a good key signing protocol containing multiple factors, like you've mentioned in a different mail on this thread, would certainly help here, that's true. Regards Florian --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org