incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sebb <seb...@gmail.com>
Subject Re: key signing
Date Thu, 11 Oct 2012 08:48:25 GMT
On 11 October 2012 02:39, Daniel Shahaf <d.s@daniel.shahaf.name> wrote:
> Greg Stein wrote on Wed, Oct 10, 2012 at 21:31:30 -0400:
>> Not too much. We still instruct users "take the signatures and verify
>> them against blah.apache.org/KEYS". John Blackhat could replace the
>> signatures and install his entry into KEYS.
>
> If you use https://people.apache.org/keys/ instead of KEYS files in the
> dist/ tree, John would have to crack two machines rather than one.

Last time I looked, the process downloads the key from a PGP server
(which does not provide any auth at all) using the key id(s) in LDAP.

I assume you mean John would have to obtain credentials to be able to
alter the key id in the signer's LDAP record?

AFAIK, this is the same LDAP that is used to authenticate SVN access
(which is all that is needed to upload new archives and KEYS).

Seems like a single point of failure to me - or maybe I am missing
something here?

> </plug> :-P
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message