httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 15622] - serve KEYS by means of https with a certificate issued by a CA that is built-in with the most popular browsers/mail clients
Date Mon, 17 Feb 2003 07:10:01 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=15622>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=15622

serve KEYS by means of https with a certificate issued by a CA that is built-in with the most
popular browsers/mail clients

hauser@acm.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Severity|Normal                      |Enhancement



------- Additional Comments From hauser@acm.org  2003-02-17 07:10 -------
I am happy to donate the ~$50 to get a certificate from e.g.
http://www.comodogroup.com/products/certificate_services/index.html

Where and how would I donate? (the "support..." link appears to be dead - see
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=17115). I see
http://www.apache.org/foundation/contributing.html#how-to-donate, but how would
I ensure that it is used for the very purpose of this bug/enhancement?
I could send the money to you personally through paypal or ask friend of mine at
Irvine to give it to you in cash?

Maybe you are right, it could be classified as an enhancement rather than a bug.

Sure, pgp signing parties are a good thing, but it is still more than
astonishing that Ben and Ralf (the mod_ssl key persons as mentioned in
http://httpd.apache.org/docs-2.0/mod/mod_ssl.html) never made it to one of those
and even yourself only got Aaron to sign your key.
AFAIK, out-of-band channels (e.g. calling Engelschall by phone in Munich) are
another legitimate option to establish trust.

I would even go one step further and suggest that in
http://www.apache.org/dist/httpd/KEYS, out-of-band approaches should be
described just to verify the signers' fingerprints (with no expectation of
subsequent cross-signing) for arbitrary apache downloading users. Sure, you
might argue that you don't want to sit on the phone 7x24 repeating your
fingerprint, but I contend that security awareness and knowledge among users
unfortunately is such that the phone would only ring very rarely!
Even setting up an answering machine somewhere that just reads down the list of
PGP fingerprints is IMHO better than the status quo. Shall I open an new RFE for
this?

Hoping that all the above qualifies for a "Reopen" of this enhancement request.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message