xmlgraphics-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Clay Leeds <the.webmaes...@gmail.com>
Subject Re: Key Signing Party Anyone?
Date Wed, 23 Jul 2014 21:31:18 GMT
I’m available tomorrow 7/24/2014 7am-4pm Pacific (2pm-10pm UTC).


On Jul 23, 2014, at 12:58 PM, Vincent Hennebert <vhennebert@gmail.com> wrote:
> as you are probably aware Apache releases must be signed. I do have
> a code-signing key but, because of the weaknesses found in SHA-1 [1], it
> is now obsolete. So I created a new, stronger one, and I now have to add
> it to the web of trust.
> See [2] for explanations about the web of trust. In short, this is a way
> to ensure that a key actually belongs to the person it claims, without
> having met that person. That allows to increase your confidence that
> a signed artefact you are downloading has not been tampered with and was
> created by the right people. For a graphical representation of the web
> of trust at Apache, see here:
> http://people.apache.org/~henkp/trust/apache.html
> In order to build a web of trust I thought that maybe we could organise
> a virtual key signing party, over Skype or Google Hangout, among the XML
> Graphics committers.
> It’s fairly simple and quite fun. You have to send me beforehand the
> public fingerprint of your key. It can be generated e.g. like this:
> $ gpg --fingerprint vhennebert
> pub   4096R/72FA275A 2014-07-22
>      Key fingerprint = 492F E32D 853F 1081 FF58  66F5 EF6D 31C7 72FA 275A
> During the signing party, we will check that all the fingerprints are
> correct. Then, each of us will show their ID at the webcam, for others
> to check they are talking to the right person.
> And that’s it. After the meeting, each of us can download the others’
> keys from a key server, check that the fingerprint matches what was
> presented during the party (this is important!), sign and upload the
> key. See [3] for more details.
> If you don’t have a PGP key, now is the time to create one. The
> following document is full of details about PGP, how it works, how it is
> used at Apache, how to create a key, etc.
> http://www.apache.org/dev/release-signing.html
> If you do have a key but it is a DSA key or a 1024 bit RSA key, then you
> need to switch to a stronger key (this is my case). See here for more
> info:
> http://www.apache.org/dev/key-transition.html
> So, who’s up for it? Please give your availabilities in an answer to this
> message. If you have it already, you may also want to include your
> public key fingerprint.
> As for myself, I would be available on working days during the next
> 2 weeks, between 7am UTC and 8pm UTC.
> Thanks,
> Vincent
> [1] For more details, see
> http://www.apache.org/dev/release-signing.html#note
> [2] http://www.apache.org/dev/release-signing.html#web-of-trust
> [3] http://www.cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html#after_keysigning_party
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@xmlgraphics.apache.org
> For additional commands, e-mail: general-help@xmlgraphics.apache.org

To unsubscribe, e-mail: general-unsubscribe@xmlgraphics.apache.org
For additional commands, e-mail: general-help@xmlgraphics.apache.org

View raw message