incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis E. Hamilton" <orc...@apache.org>
Subject RE: Code signing and WOT for releases
Date Thu, 28 Jul 2016 17:05:05 GMT


> -----Original Message-----
> From: Martin Gainty [mailto:mgainty@hotmail.com]
> Sent: Thursday, July 28, 2016 05:13
> To: general@incubator.apache.org
> Subject: RE: Code signing and WOT for releases
> 
> 4) how to find a public key certificate matching the ID in the signature
> and how to check that the private key is asserted to be in the
> possession of the person controlling orcmid@apache.org[orcmid]  if you are *not*
> using assertions how would this be accomplished?
[orcmid] 

That's correct, there is no technical assertion mechanism in OpenPGP.  I should not have used
that term.

What constitutes the equivalent of an *attestation* in WOT is the counter-signing of a public
key by another.  That is taken as an attestation that an identified individual claimed authority
over the private key by virtue of the fingerprint, the User ID, and in-person confirmation
of identification.

In the case of controlling orcmid@ apache.org, the evidence is that the person having control
of that account (Apache Committer ID orcmid) placed the fingerprint in his private account
record and the system retrieved the key with that fingerprint and placed it at <http://people.apache.org/keys/committer/orcmid.asc>.
 That is retrieval from Internet key servers periodically and will reflect any counter-signing
by others as well as any revocation.

There's more to be said about that particular certificate, and other attestations that apply
to it, but we can stop here unless you are curious about that.

 - Dennis

> 
> Regards
> Martin
> ______________________________________________
> 
> 
> 
> > From: dennis.hamilton@acm.org
> > To: general@incubator.apache.org
> > Subject: RE: Code signing and WOT for releases
> > Date: Wed, 27 Jul 2016 10:01:59 -0700
> >
> >
> > > -----Original Message-----
> > > From: Martin Gainty [mailto:mgainty@hotmail.com]
> > > Sent: Wednesday, July 27, 2016 08:06
> > > To: general@incubator.apache.org
> > > Subject: RE: Code signing and WOT for releases
> > >
> > >
> > >
> > > > From: dennis.hamilton@acm.org
> > > > To: general@incubator.apache.org
> > > > Subject: RE: Code signing and WOT for releases
> > > > Date: Tue, 26 Jul 2016 10:33:13 -0700
> > > > [ ... ] Yesterday, I received an email from one of the users who
> > > received a security advisory message that I signed.  The user's mail
> > > reader reported that the signature was untrusted (no surprise) and
> that
> > > the signature was BAD.  Since the mail reader shows the stripped
> > > message, and it looks perfectly fine, there is no way to help
> analyze
> > > that from my end.
> > > >
> > > > What I did do was (1) verify the message that was sent to me from
> the
> > > list and (2) verify the message in the list archive.  I then (3)
> advised
> > > the recipient what I did and also (4) how to find a public key
> > > certificate matching the ID in the signature and how to check that
> the
> > > private key is asserted to be in the possession of the person
> > > controlling orcmid@apache.org and how the individual having control
> of
> > > that email address is associated with the ASF.
> > >
> > > MG>can we assume the key was converted to PKCS8 before asserting the
> > > key?
> > > http://stackoverflow.com/questions/5230942/how-to-read-a-private-
> key-
> > > for-use-with-opensaml
> > >
> > > MG>and then built new SignatureBuilder().buildObject() Signature
> with
> > > key locations before assigning
> > > assertion.setSignature(___)?http://www.programcreek.com/java-api-
> > > examples/index.php?api=org.opensaml.xml.signature.Signature
> > >
> > > MG>/thanks dennis/
> > [orcmid]
> >
> > This signing had nothing to do with MIME-signatures or SSL.  It is a
> plaintext message that has a "clearsign" OpenPGP signed section in-line
> in the message body.  (The signed part was created first and then pasted
> into the plaintext email.)  You can see the archived form at
> > <http://mail-archives.apache.org/mod_mbox/openoffice-
> announce/201607.mbox/browser> where it is the only message there. At the
> bottom of the HTML-formatted display of the message, select the "Unnamed
> text/plain" link to see a cleaner plaintext.
> >
> > This is not unlike the .asc files that can be made as external PGP
> signatures of code, except it is inline instead of external to the file
> being signed.
> >
> > > >
> > > > (I made another check of the archived message too.  The raw form
> of
> > > the message fails to verify when downloaded and that appears to be
> on
> > > account of some encoding features that have to be processed properly
> for
> > > the original text to be reconstituted properly. That might or might
> not
> > > be relevant to how that recipient's email reader handles PGP
> > > > signatures.)
> > [orcmid]
> >
> > (If you look at the raw version on the archive, you will see a pile of
> =20 line endings that make the raw form unverifiable.  And because the
> signature block has a line ending in =, there is an appended raw "3D"
> that breaks the whole thing. A client that does not restore the
> plaintext before checking the signature will claim that the signature is
> "BAD".)
> >
> > PS: I sent the same message to a colleague who has a PGP-aware email
> client, and the message verified automatically and was presented without
> the boundaries and the signature block.  Instead, there was a marker
> that indicated the part of the message that was signed.  So it would
> appear that the person who reported to me encountered an
> interoperability failure.
> > > >
> > [ ... ]
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> > For additional commands, e-mail: general-help@incubator.apache.org
> >
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message