I see I committed the sin of using "signature" two different ways, below.
I mean the file digest value (digital hash, SHA1) for what power users and appropriate downloader utilities check. I mean the external digital signature and the signers public-key cert in the Apache keys with regard to checking digital signatures on release candidates and in any subsequent forensic investigation/confirmation. - Dennis -----Original Message----- From: Dennis E. Hamilton [mailto:[email protected]] Sent: Thursday, October 11, 2012 08:19 To: [email protected] Subject: RE: key signing +1 I'm assuming Benson means the digest (SHA1) by "signature." Using those from the Apache site is probably the first-line for power users and about as much extra effort that can be expected. The use of download utilities that reliably check signatures from authentic sources is a small boost -- for power users. - Dennis The verification of the external signatures also on the Apache site is something that I believe is material only for review of the release candidate and also any subsequent forensics work if there is a problem. In all cases, the public-key cert should be obtained from the Apache site keys folder. The most-significant improvement in this, for binaries at least, is the use of embedded signatures that are verified as part of operating-system functions on the relevant platform. That's as low-friction as it gets and users don't have to take any special steps at all, other than pay attention to the warning dialogs that the platform coughs up. -----Original Message----- From: Benson Margulies [mailto:[email protected]] Sent: Thursday, October 11, 2012 05:20 To: [email protected] Subject: Re: key signing Greg having more or less restated my opening position ("how do we improve assurance for probable actual users"), I'd throw in another bit. Threat analysis is all well and good, but it please don't forget the biggest principle here. If the assurance mechanism is so abstruse that users won't understand it, or so complex that they can't use it, then they won't, and they will be at the mercy of the dumbest possible attack. Before we worry about MITM, or subverted Apache infrastructure, I claim that we should be offering users a simple, easy-to-understand means of protecting against fraudulent packages. As per Greg, the signatures do that. As per me, unsigned keys verified against Apache infrastructure do that. Over and above that, we could then ask, 'how could we improve protection against most complex problems?' --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
