xmlgraphics-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Vincent Hennebert <vhenneb...@gmail.com>
Subject Re: Key Signing Party Anyone?
Date Thu, 24 Jul 2014 19:07:20 GMT
Since Clay was available only today we held a mini-party together where
we signed each other key. For the others, please give your
availabilities for the next 2 weeks and we can organise The Big One.

Clay, that was good to talk to you after all that time!

Vincent


On 23/07/14 23:31, Clay Leeds wrote:
> I’m available tomorrow 7/24/2014 7am-4pm Pacific (2pm-10pm UTC).
>
> Clay
>
> On Jul 23, 2014, at 12:58 PM, Vincent Hennebert <vhennebert@gmail.com> wrote:
>> as you are probably aware Apache releases must be signed. I do have
>> a code-signing key but, because of the weaknesses found in SHA-1 [1], it
>> is now obsolete. So I created a new, stronger one, and I now have to add
>> it to the web of trust.
>>
>> See [2] for explanations about the web of trust. In short, this is a way
>> to ensure that a key actually belongs to the person it claims, without
>> having met that person. That allows to increase your confidence that
>> a signed artefact you are downloading has not been tampered with and was
>> created by the right people. For a graphical representation of the web
>> of trust at Apache, see here:
>> http://people.apache.org/~henkp/trust/apache.html
>>
>> In order to build a web of trust I thought that maybe we could organise
>> a virtual key signing party, over Skype or Google Hangout, among the XML
>> Graphics committers.
>>
>> It’s fairly simple and quite fun. You have to send me beforehand the
>> public fingerprint of your key. It can be generated e.g. like this:
>> $ gpg --fingerprint vhennebert
>> pub   4096R/72FA275A 2014-07-22
>>       Key fingerprint = 492F E32D 853F 1081 FF58  66F5 EF6D 31C7 72FA 275A
>>
>> During the signing party, we will check that all the fingerprints are
>> correct. Then, each of us will show their ID at the webcam, for others
>> to check they are talking to the right person.
>>
>> And that’s it. After the meeting, each of us can download the others’
>> keys from a key server, check that the fingerprint matches what was
>> presented during the party (this is important!), sign and upload the
>> key. See [3] for more details.
>>
>> If you don’t have a PGP key, now is the time to create one. The
>> following document is full of details about PGP, how it works, how it is
>> used at Apache, how to create a key, etc.
>> http://www.apache.org/dev/release-signing.html
>>
>> If you do have a key but it is a DSA key or a 1024 bit RSA key, then you
>> need to switch to a stronger key (this is my case). See here for more
>> info:
>> http://www.apache.org/dev/key-transition.html
>>
>> So, who’s up for it? Please give your availabilities in an answer to this
>> message. If you have it already, you may also want to include your
>> public key fingerprint.
>>
>> As for myself, I would be available on working days during the next
>> 2 weeks, between 7am UTC and 8pm UTC.
>>
>> Thanks,
>> Vincent
>>
>>
>> [1] For more details, see
>> http://www.apache.org/dev/release-signing.html#note
>> [2] http://www.apache.org/dev/release-signing.html#web-of-trust
>> [3] http://www.cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html#after_keysigning_party
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: general-unsubscribe@xmlgraphics.apache.org
>> For additional commands, e-mail: general-help@xmlgraphics.apache.org
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@xmlgraphics.apache.org
> For additional commands, e-mail: general-help@xmlgraphics.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@xmlgraphics.apache.org
For additional commands, e-mail: general-help@xmlgraphics.apache.org


Mime
View raw message