www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe Jr." <wr...@rowe-clan.net>
Subject Re: Signing jars
Date Wed, 07 Sep 2011 16:50:22 GMT
On 9/5/2011 7:11 AM, Benson Margulies wrote:
> Sander's email raises the fundamental policy question: "What does an
> ASF-wide signature mean?"
> 
> There are two possibilities.
> 
> 1: A signature means that the thing signed is piece of a fully-voted release.
> 
> 2: A signature means that the thing signed was produced by an Apache
> committer as part of a release process.
> 
> If you take option 1, then you have the dilemma between 'voting on the
> final bits' and 'not signing until it's voted.'
> 
> I think that Bill Rowe thoughts included, however, what I could call option 3:
> 
> 3:  A signature means that the thing signed was produced by an Apache
> committer as part of a release process. However, at *this url*, you
> will find a permanent list of all the signed artifacts that eventually
> became part of fully-voted Apache releases.
> 
> I am not clear if the Verisign service that Bill described offers some
> utility here.

Only in that if we used the verisign service vs. signing with an ASF-wide
certificate, we could revoke the signatures of all unreleased objects.

I very strongly prefer option 1.

> On the other hand, when I started thinking about this last week, I
> expected that a global ASF certificate would be rejected for this very
> reason. I expected more enthusiasm for a scheme to extend the
> 'individual responsibility' theory to X.509.

Howso?  This isn't a question of the X.509 specification.  It's a question
of how Microsoft, Sunoracle and Verisign have actually deployed code signing,
as we are talking about conforming to their code signing strategy, and not
inventing a new code signing method.

If we want to deploy a new code signing method, it would be based on PGP,
which already works for us.





Mime
View raw message