incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis E. Hamilton" <orc...@apache.org>
Subject RE: key signing
Date Thu, 11 Oct 2012 15:19:06 GMT
+1

I'm assuming Benson means the digest (SHA1) by "signature."  Using those from the Apache site
is probably the first-line for power users and about as much extra effort that can be expected.
 The use of download utilities that reliably check signatures from authentic sources is a
small boost -- for power users.  

 - Dennis

The verification of the external signatures also on the Apache site is something that I believe
is material only for review of the release candidate and also any subsequent forensics work
if there is a problem.  In all cases, the public-key cert should be obtained from the Apache
site keys folder.  

The most-significant improvement in this, for binaries at least, is the use of embedded signatures
that are verified as part of operating-system functions on the relevant platform.  That's
as low-friction as it gets and users don't have to take any special steps at all, other than
pay attention to the warning dialogs that the platform coughs up.

-----Original Message-----
From: Benson Margulies [mailto:bimargulies@gmail.com] 
Sent: Thursday, October 11, 2012 05:20
To: general@incubator.apache.org
Subject: Re: key signing

Greg having more or less restated my opening position ("how do we
improve assurance for probable actual users"), I'd throw in another
bit.

Threat analysis is all well and good, but it please don't forget the
biggest principle here. If the assurance mechanism is so abstruse that
users won't understand it, or so complex that they can't use it, then
they won't, and they will be at the mercy of the dumbest possible
attack.

Before we worry about MITM, or subverted Apache infrastructure, I
claim that we should be offering users a simple, easy-to-understand
means of protecting against fraudulent packages. As per Greg, the
signatures do that. As per me, unsigned keys verified against Apache
infrastructure do that.

Over and above that, we could then ask, 'how could we improve
protection against most complex problems?'

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message