incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sebb <seb...@gmail.com>
Subject Re: ASF Web of Trust [was: Release Distribution Strategy]
Date Mon, 29 Oct 2007 13:37:40 GMT
On 29/10/2007, Erik Abele <erik@codefaktor.de> wrote:
> On 29.10.2007, at 03:13, Niclas Hedhman wrote:
>
> > On Sunday 28 October 2007 23:15, Erik Abele wrote:
> >> As BenL always says: "I don't give a shit about some random document,
> >> that could be faked anyway. All I care about is the email address
> >> connected to the key I intend to sign - is it really the address of
> >> the person in question?".
> >
> > Ok, and if you don't know the individual in person, you put the
> > trust in
> > a "Driver's license" or similar... but doesn't really care how that
> > 'trust'
> > was established.
>
> There's a ton of interpretations and levels of trust out there; I
> suggest you consult Google for that.
>
> > I must be plain dumb, but I don't "get" why this provides any
> > comfort to
> > end-users, even if they manage to figure out what to do with
> > the .ASCs (I bet
> > a very small percentage do).
>
> Well, if you verify an ASF release it can show you two things:
>
> a) if the signature is good you know that the file has not been
> tampered with;
>    it's the same as when the release was originally cut by the RM
> b) if you can establish a trust path to the signer of the file then
> you can be
>    pretty sure that it's a legit release and not a faked one

Even if you can't establish a trust path, the PGP signature gives a
bit more assurance than a hash. The KEY file should be in SVN, so you
can ensure that the person that added the key to the KEY file was at
least a committer to SVN.

> Again, please see http://httpd.apache.org/dev/verification.html -
> especially the sections on "Checking Signatures" [a) above] and
> "Validating Authenticity of a Key" [b) above].
>
> Re small percentage: I doubt that most users even care; the majority
> probably won't even think about it :(
>
> > And that is why I am asking for better tooling.
>
> Ok, feel free to improve that :-)
>
> >> See also http://wiki.apache.org/apachecon/PgpKeySigning
> >
> > Ok, it shows half the picture; How to sign the keys are left out...
>
> See one of the billions of tutorials in Google, or simply "man
> gpg" (--sign-key or --edit-key).
>
> >>> as well as tooling support for verifications.
> >> http://httpd.apache.org/dev/verification.html
> >
> > Uhhhh, we probably have more than a million users. Do we expect
> > them all to
> > get a hook into the WOT ?? IMHO, there is something wrong with that
> > picture...
>
> The million users don't even care about all that - the ones who do
> will find a way to connect the dots or even get into the WOT (see
> examples provided by Robert).
>
> E.g. if I see that a release is signed by the key XYZ of S. Striker
> and I go and fetch that key from a public keyserver and take a look
> at the list of signatures, I'll find out that there a names like Roy
> T. Fielding, Jim Jagielski, and so on... now, when I compare the
> fingerprints and maybe also have a look at http://www.apache.org/dist/
> httpd/KEYS then I can be pretty sure that the release was made by an
> official member of the HTTPD PMC - that should be enough for Random
> Joe to feel comfortable...
>
> > Couldn't a simple; http://www.apache.org/verify where I put the ASC
> > file (and
> > the MD5 of download??) and get a "Authenticated" or not response be
> > done?? If
> > that is too hard to automate, I don't think we ever will see any
> > increase in
> > user awareness.
>
> http://people.apache.org/~henkp/cgi-bin/md5.cgi will verify the MD5
> for you - it doesn't really make sense to have the same for PGP
> signatures IMHO.
>
> > The process on the above page is beyond most users'
> > imagination.
>
> As said, they probably don't even care otherwise they would know...
>
> Cheers,
> Erik
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message