xml-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From robert burrell donkin <robertburrelldon...@blueyonder.co.uk>
Subject Re: PMC Work Items
Date Fri, 28 Feb 2003 09:52:09 GMT

On Friday, February 28, 2003, at 01:32 AM, <berin@ozemail.com.au> wrote:

> G'day Shane,
>
>> Shane Curcuru wrote
>
>> Let's make sure we keep this focused on the basics.  I don't think we 
>> have
>> the need or resources to setup our own PGP keyserver; there are plenty
>> already out there (http://pgpkeys.mit.edu/ seems popular with
>> Apacheites).  Plus I think infrastructure@ and others are already working
>> on secure ways to get KEYS files directly from an ASF machine securely,
>> which will solve the trusted distribution of keys problem.
>>
>
> So exactly what is the aim of the game here?
> Happy to agree that a keyserver may be over the
> top, but a mechanism that conveys an Apache
> keyring to end users of Apache software would
> surely have to be a good thing?  If we are serious
> about secure software distribution (and I think
> we are, given we are taking the trouble to sign
> the releases in the first place), then surely we
> should also be serious about how we extend that
> security into user-land.
>
> I'd also be interested in what you mean by "a secure
> ways to get KEYS files directly from an ASF
> machine"?  Surely a key is either in the web of
> trust (whatever that means to us) or not.  The
> fact is resides on an ASF machine doesn't
> necessarily mean that we should put a high degree
> of trust in it.

suppose a key resides on an ASF machine. if you download a release from a 
third party machine that is correctly signed with that key, how far can 
you trust that release? in particular, is it more or less safe than 
downloading an unsigned release directly from an ASF machine.

well, if the ASF machine has been compromised, both situations are equally 
untrustworthy.

so, let's assume that the ASF machine has not been compromised. so, the 
key downloaded from the server can be as trusted as the release downloaded 
from the server. if the key has been compromised, it means that the 
release manager's machine has been compromised. but in this case, the 
unsigned release must also be suspect.

therefore, it seems to me that a release signed by a key which resides on 
an ASF machine can be trusted as much as a release downloaded directly 
from an ASF machine.

so, in security terms, moving from unsigned releases on an ASF machine to 
signed releases on mirror with keys on ASF machines is security neutral.

moving to a secure apache wide system of signed keys would be a definite 
improvement. (but there may be practical problems to be overcome.)

- robert


---------------------------------------------------------------------
In case of troubles, e-mail:     webmaster@xml.apache.org
To unsubscribe, e-mail:          general-unsubscribe@xml.apache.org
For additional commands, e-mail: general-help@xml.apache.org


Mime
View raw message