incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Niclas Hedhman <nic...@hedhman.org>
Subject Re: ASF Web of Trust [was: Release Distribution Strategy]
Date Mon, 29 Oct 2007 02:13:31 GMT
On Sunday 28 October 2007 23:15, Erik Abele wrote:
> As BenL always says: "I don't give a shit about some random document,  
> that could be faked anyway. All I care about is the email address  
> connected to the key I intend to sign - is it really the address of  
> the person in question?".

Ok, and if you don't know the individual in person, you put the trust in 
a "Driver's license" or similar... but doesn't really care how that 'trust' 
was established.
I must be plain dumb, but I don't "get" why this provides any comfort to 
end-users, even if they manage to figure out what to do with the .ASCs (I bet 
a very small percentage do).

And that is why I am asking for better tooling. 

> See also http://wiki.apache.org/apachecon/PgpKeySigning

Ok, it shows half the picture; How to sign the keys are left out...

> > as well as tooling support for verifications.
> http://httpd.apache.org/dev/verification.html

Uhhhh, we probably have more than a million users. Do we expect them all to 
get a hook into the WOT ?? IMHO, there is something wrong with that 
picture...

Couldn't a simple; http://www.apache.org/verify where I put the ASC file (and 
the MD5 of download??) and get a "Authenticated" or not response be done?? If 
that is too hard to automate, I don't think we ever will see any increase in 
user awareness. The process on the above page is beyond most users' 
imagination.


Cheers
Niclas

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message