xml-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <be...@ozemail.com.au>
Subject Re: PMC Work Items
Date Fri, 28 Feb 2003 01:32:11 GMT
G'day Shane,

> Shane Curcuru wrote

> Let's make sure we keep this focused on the basics.  I don't think we have 
> the need or resources to setup our own PGP keyserver; there are plenty 
> already out there (http://pgpkeys.mit.edu/ seems popular with 
> Apacheites).  Plus I think infrastructure@ and others are already working 
> on secure ways to get KEYS files directly from an ASF machine securely, 
> which will solve the trusted distribution of keys problem.

So exactly what is the aim of the game here?
Happy to agree that a keyserver may be over the
top, but a mechanism that conveys an Apache
keyring to end users of Apache software would
surely have to be a good thing?  If we are serious
about secure software distribution (and I think
we are, given we are taking the trouble to sign
the releases in the first place), then surely we
should also be serious about how we extend that
security into user-land.

I'd also be interested in what you mean by "a secure
ways to get KEYS files directly from an ASF
machine"?  Surely a key is either in the web of
trust (whatever that means to us) or not.  The
fact is resides on an ASF machine doesn't
necessarily mean that we should put a high degree
of trust in it. 

BTW - That's not in any way having a
go at the security of ASF machines.  That's simply
saying that you are basing the trust you place on
a cryptographic key on the security of a
password.  Seems a bit contradictory?

Or have I read the whole thing wrong :>.

> One thing we do need is more prominently published how-tos for using PGP 
> (or GPG, or older or newer versions of PGP, all of which are different) 
> both for signing and verifying.  There are a number of snippets on various 
> download pages, and a couple of sites on the web with descriptions, but 
> it'd be nice to have more details specifically for both committers and users.

Absolutely agree!  I'd also say the how-to should 
extend to a minimum set of requirements we would
like to see in place before a key is signed.


This message was sent through MyMail http://www.mymail.com.au

In case of troubles, e-mail:     webmaster@xml.apache.org
To unsubscribe, e-mail:          general-unsubscribe@xml.apache.org
For additional commands, e-mail: general-help@xml.apache.org

View raw message