incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Burrell Donkin" <robertburrelldon...@gmail.com>
Subject Re: ASF Web of Trust [was: Release Distribution Strategy]
Date Mon, 29 Oct 2007 12:49:23 GMT
On 10/29/07, Niclas Hedhman <niclas@hedhman.org> wrote:
> On Sunday 28 October 2007 23:15, Erik Abele wrote:
> > As BenL always says: "I don't give a shit about some random document,
> > that could be faked anyway. All I care about is the email address
> > connected to the key I intend to sign - is it really the address of
> > the person in question?".
>
> Ok, and if you don't know the individual in person, you put the trust in
> a "Driver's license" or similar... but doesn't really care how that 'trust'
> was established.
> I must be plain dumb, but I don't "get" why this provides any comfort to
> end-users, even if they manage to figure out what to do with the .ASCs (I bet
> a very small percentage do).

most users should check the hashes (not the signatures)

anyone who is not well-connected to the apache WOT gains only a little
security by using a signature and only that if they understand WOT
concepts pretty well. providing that release managers are well
connected to the apache WOT then two small (but very important) groups
of users typically fall into this category: apache members and
downstream release managers. that is why apache insists on them.

> And that is why I am asking for better tooling.

+1

IMO this needs to be done at the protocol level

> > See also http://wiki.apache.org/apachecon/PgpKeySigning
>
> Ok, it shows half the picture; How to sign the keys are left out...

see http://people.apache.org/~henkp/

> > > as well as tooling support for verifications.
> > http://httpd.apache.org/dev/verification.html
>
> Uhhhh, we probably have more than a million users. Do we expect them all to
> get a hook into the WOT ?? IMHO, there is something wrong with that
> picture...

no - but we do expect the apache infrastructure team to be

> Couldn't a simple; http://www.apache.org/verify where I put the ASC file (and
> the MD5 of download??) and get a "Authenticated" or not response be done?? If
> that is too hard to automate, I don't think we ever will see any increase in
> user awareness. The process on the above page is beyond most users'
> imagination.

IMO this needs to be done at the protocol level to gain the required
security (rather than just the appearance of security). if there's
anyone around who's active on HTTP standards then now would be a great
time to jump in...

- robert

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message