incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Erik Abele <e...@codefaktor.de>
Subject Re: ASF Web of Trust [was: Release Distribution Strategy]
Date Mon, 29 Oct 2007 13:26:23 GMT
On 29.10.2007, at 03:13, Niclas Hedhman wrote:

> On Sunday 28 October 2007 23:15, Erik Abele wrote:
>> As BenL always says: "I don't give a shit about some random document,
>> that could be faked anyway. All I care about is the email address
>> connected to the key I intend to sign - is it really the address of
>> the person in question?".
>
> Ok, and if you don't know the individual in person, you put the  
> trust in
> a "Driver's license" or similar... but doesn't really care how that  
> 'trust'
> was established.

There's a ton of interpretations and levels of trust out there; I  
suggest you consult Google for that.

> I must be plain dumb, but I don't "get" why this provides any  
> comfort to
> end-users, even if they manage to figure out what to do with  
> the .ASCs (I bet
> a very small percentage do).

Well, if you verify an ASF release it can show you two things:

a) if the signature is good you know that the file has not been  
tampered with;
    it's the same as when the release was originally cut by the RM
b) if you can establish a trust path to the signer of the file then  
you can be
    pretty sure that it's a legit release and not a faked one

Again, please see http://httpd.apache.org/dev/verification.html -  
especially the sections on "Checking Signatures" [a) above] and  
"Validating Authenticity of a Key" [b) above].

Re small percentage: I doubt that most users even care; the majority  
probably won't even think about it :(

> And that is why I am asking for better tooling.

Ok, feel free to improve that :-)

>> See also http://wiki.apache.org/apachecon/PgpKeySigning
>
> Ok, it shows half the picture; How to sign the keys are left out...

See one of the billions of tutorials in Google, or simply "man  
gpg" (--sign-key or --edit-key).

>>> as well as tooling support for verifications.
>> http://httpd.apache.org/dev/verification.html
>
> Uhhhh, we probably have more than a million users. Do we expect  
> them all to
> get a hook into the WOT ?? IMHO, there is something wrong with that
> picture...

The million users don't even care about all that - the ones who do  
will find a way to connect the dots or even get into the WOT (see  
examples provided by Robert).

E.g. if I see that a release is signed by the key XYZ of S. Striker  
and I go and fetch that key from a public keyserver and take a look  
at the list of signatures, I'll find out that there a names like Roy  
T. Fielding, Jim Jagielski, and so on... now, when I compare the  
fingerprints and maybe also have a look at http://www.apache.org/dist/ 
httpd/KEYS then I can be pretty sure that the release was made by an  
official member of the HTTPD PMC - that should be enough for Random  
Joe to feel comfortable...

> Couldn't a simple; http://www.apache.org/verify where I put the ASC  
> file (and
> the MD5 of download??) and get a "Authenticated" or not response be  
> done?? If
> that is too hard to automate, I don't think we ever will see any  
> increase in
> user awareness.

http://people.apache.org/~henkp/cgi-bin/md5.cgi will verify the MD5  
for you - it doesn't really make sense to have the same for PGP  
signatures IMHO.

> The process on the above page is beyond most users'
> imagination.

As said, they probably don't even care otherwise they would know...

Cheers,
Erik


---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message