On 28 Jun 2011, at 13:22, Benson Margulies wrote: > There's another possible dimension to this, which is related to the > 'Apache Key' suggestion. > > The current mechanism gives a\ sophisticated/ consumer tools to get > some confidence that what they downloaded was, in fact, created by > someone in the Apache infrastructure.
Agreed. My thoughts were about improving that. Ideally it might also lead the way to improved tools that'll serve a much wider audience. For example, checks that could be built into package managers. > If a dozen black hats create PGP keys that purport to belong to > various Apache committers, and sign each others keys, and publish them > to a key server, they could create confusion, restrained (if I have > this right) by KEYS on APache's own server. Indeed. Though I'd've thought the most useful safeguard against that is when the real committers - or anyone else whose WoT includes their keys - verifies a signature, and finds an unexpected failure to verify. Then the publicity where users will see it. > What if the ASF stored keys, and offered a web page into which you > could post a key and get back either "(check) signed by a committer of > Apache foo, bar, and baz" or "(big red x) not a signature we > recognize". That seems more useful to me than an Apache global key. Every little helps, but I don't see that adds much to existing KEYS (which you can, after all, search for whatever string you'd enter into the form). If KEYS is guaranteed 100% secure then we're safe, but what I'm thinking of is additional safeguards against the danger of someone smuggling in bogus keys purporting to be ours. As of now, how would you know if I were to smuggle in a key pretending to be yours and start signing things? -- Nick Kew Available for work, contract or permanent http://www.webthing.com/~nick/cv.html --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
