xmlgraphics-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Luis Bernardo <lmpmberna...@gmail.com>
Subject Re: Key Signing Party Anyone?
Date Thu, 24 Jul 2014 21:37:04 GMT

I am not going to dispute the social benefits of a party, but can't we 
achieve the same level of trust by placing the public key in our Apache 
area, or by committing it to svn? Then for sure we know the key belongs 
to that committer, right?

On 7/23/14, 8:58 PM, Vincent Hennebert wrote:
> as you are probably aware Apache releases must be signed. I do have
> a code-signing key but, because of the weaknesses found in SHA-1 [1], it
> is now obsolete. So I created a new, stronger one, and I now have to add
> it to the web of trust.
> See [2] for explanations about the web of trust. In short, this is a way
> to ensure that a key actually belongs to the person it claims, without
> having met that person. That allows to increase your confidence that
> a signed artefact you are downloading has not been tampered with and was
> created by the right people. For a graphical representation of the web
> of trust at Apache, see here:
> http://people.apache.org/~henkp/trust/apache.html
> In order to build a web of trust I thought that maybe we could organise
> a virtual key signing party, over Skype or Google Hangout, among the XML
> Graphics committers.
> It’s fairly simple and quite fun. You have to send me beforehand the
> public fingerprint of your key. It can be generated e.g. like this:
> $ gpg --fingerprint vhennebert
> pub   4096R/72FA275A 2014-07-22
>       Key fingerprint = 492F E32D 853F 1081 FF58  66F5 EF6D 31C7 72FA 
> 275A
> During the signing party, we will check that all the fingerprints are
> correct. Then, each of us will show their ID at the webcam, for others
> to check they are talking to the right person.
> And that’s it. After the meeting, each of us can download the others’
> keys from a key server, check that the fingerprint matches what was
> presented during the party (this is important!), sign and upload the
> key. See [3] for more details.
> If you don’t have a PGP key, now is the time to create one. The
> following document is full of details about PGP, how it works, how it is
> used at Apache, how to create a key, etc.
> http://www.apache.org/dev/release-signing.html
> If you do have a key but it is a DSA key or a 1024 bit RSA key, then you
> need to switch to a stronger key (this is my case). See here for more
> info:
> http://www.apache.org/dev/key-transition.html
> So, who’s up for it? Please give your availabilities in an answer to this
> message. If you have it already, you may also want to include your
> public key fingerprint.
> As for myself, I would be available on working days during the next
> 2 weeks, between 7am UTC and 8pm UTC.
> Thanks,
> Vincent
> [1] For more details, see
> http://www.apache.org/dev/release-signing.html#note
> [2] http://www.apache.org/dev/release-signing.html#web-of-trust
> [3] 
> http://www.cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html#after_keysigning_party
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@xmlgraphics.apache.org
> For additional commands, e-mail: general-help@xmlgraphics.apache.org

To unsubscribe, e-mail: general-unsubscribe@xmlgraphics.apache.org
For additional commands, e-mail: general-help@xmlgraphics.apache.org

View raw message