httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 15622] New: - serve KEYS by means of https with a certificate issued by a CA that is built-in with the most popular browsers/mail clients
Date Mon, 23 Dec 2002 06:54:48 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=15622>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=15622

serve KEYS by means of https with a certificate issued by a CA that is built-in with the most
popular browsers/mail clients

           Summary: serve KEYS by means of https with a certificate issued
                    by a CA that is built-in with the most popular
                    browsers/mail clients
           Product: Apache httpd-2.0
           Version: 2.0.32
          Platform: Other
               URL: http://www.apache.org/dist/httpd/KEYS
        OS/Version: Other
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: Documentation
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: hauser@acm.org


agreed, it is o.k. to provide
http://www.apache.org/dist/httpd/httpd-2.0.43.tar.gz.asc without additional
protection, but it would be good to serve the pgp verification keys from a more
secure source. Sure, this is mingling the two trust models between x509 and PGP,
but...
- since no systematic mutual signing among the provided pgp keys took place ( i)
Ben Laurie as the first entry in the file does have some other people endorsing
him, but none out of the group featured in this file nor any among the people in
the base public key file shipped by pgp at download and ii) even mod_ssl guru
Engelschall appears not to be overtly trusted by anybody?)
- since there are no phone numbers/URL to call and verify the fingerprint
neither inside the PGP keys (admitted, as PGP only allows for e-mails and
photos, going for any further binding of address information is not foreseen by
the programm and would require overloading/misuing their "add name" feature) nor
in the surrounding (unfortunately non-https) web pages.

it may still be useful to add one such extra assurance (that admittedly has its
own limitations) since most httpd admins never will bother properly
bootstrapping the security of keys used for the signatures you provide.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message