httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 15622] - serve KEYS by means of https with a certificate issued by a CA that is built-in with the most popular browsers/mail clients
Date Mon, 17 Feb 2003 18:38:48 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=15622>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=15622

serve KEYS by means of https with a certificate issued by a CA that is built-in with the most
popular browsers/mail clients





------- Additional Comments From hauser@acm.org  2003-02-17 18:38 -------
Aaron: <<2) We should not imply to anyone that by downloading the KEYS
    file from an SSL server that they can suddenly trust the
    _contents_ of the KEYS file. Sure, they can better trust
    that the contents weren't altered during transmission ...>>
It would be sad, if legitimate, but half-thought through legal questions result
in a service degradation.
Therefore I suggest to
1) Further add to the KEYS file:
<<On apache's own site and some mirrors, you can download the KEYS under https.
This reduces the exposure to some imaginable attacks, but this by no means
implies that this file is authentic.
For the proper way to determine whether you are satisfied with the KEYS'
authenticity, please consult http://www.gnupg.org/gph/en/manual.html#AEN335>>
2) If you deem the "provided as is" part in http://www.apache.org/LICENSE.txt to
be insufficient protection for the foundation, perhaps it is time to add general
Terms&Conditions (e.g. as http://www.apache.org/foundation/T_and_C.html) to the
site every visitor/user has to abide by to remedy that.
If you want an example for such T&Cs, I am happy to provide one, but I am sure
you have the better lawyers than I do ...

Perhaps I should open two separate RFEs for 1) and 2)?

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message