Il 20/03/25 17:16, Christopher Schultz ha scritto:
Roberto,
On 3/20/25 7:52 AM, Roberto Resoli wrote:
Il 19/03/25 20:48, Mark Thomas ha scritto:
On 19/03/2025 18:51, Mark Thomas wrote:
...
So the signing fingerprint may not be the same of that of the
principal key as metioned in the KEYS file.
Correct.
If the community would like me to do so, I can put the subkey into the
KEYS file as well.
Imho this is not needed; a correct the verification procedure (import
key, verify signature) shows clearly which is the signing key. One
should not rely on the correspondance of the mentioned fingerprint
alone, without importing the key.
...
Generally, I'd recommend obtaining keys for ASF releases from the
associated KEYS file for that release. We watch all commits carefully
but any changes to the KEYS files get looked at very closely.
I view the key servers as less reliable as there have been fake keys
in my name uploaded in the past and I am not convinced it is no
longer possible.
Yes; I guess that usual check of the signatures of the key by others
(the web of trust) remains the main criterion.
+1
I and others attempt to participate in PGP keysigning exercises at any
ASF events we attend. During those exercises, we confirm exact key
signatures (to avoid signing fake or malicious keys uploaded by others),
confirm identities (typically using a government-issued form of identity
such as a passport), and sign each others keys.
This is fine!
So while some people will sign a key based upon minimal authentication
criteria (e.g. I downloaded the key from a key server and signed it
because I recognized the person's email address), ASF committers will
(almost?) never do that. I personally have never signed the key of
someone I had not met in person as described above.
Great.
Thank you
-rob
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
