incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Shahaf <...@daniel.shahaf.name>
Subject Re: key signing
Date Thu, 11 Oct 2012 12:41:36 GMT
sebb wrote on Thu, Oct 11, 2012 at 09:48:25 +0100:
> On 11 October 2012 02:39, Daniel Shahaf <d.s@daniel.shahaf.name> wrote:
> > Greg Stein wrote on Wed, Oct 10, 2012 at 21:31:30 -0400:
> >> Not too much. We still instruct users "take the signatures and verify
> >> them against blah.apache.org/KEYS". John Blackhat could replace the
> >> signatures and install his entry into KEYS.
> >
> > If you use https://people.apache.org/keys/ instead of KEYS files in the
> > dist/ tree, John would have to crack two machines rather than one.
> 
> Last time I looked, the process downloads the key from a PGP server
> (which does not provide any auth at all) using the key id(s) in LDAP.
> 
> I assume you mean John would have to obtain credentials to be able to
> alter the key id in the signer's LDAP record?
> 
> AFAIK, this is the same LDAP that is used to authenticate SVN access
> (which is all that is needed to upload new archives and KEYS).
> 
> Seems like a single point of failure to me - or maybe I am missing
> something here?

LDAP is a single point of failure, but with that you can't forge
anything without causing a post-commit email.

> 
> > </plug> :-P
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> > For additional commands, e-mail: general-help@incubator.apache.org
> >
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message