DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=15622>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=15622 serve KEYS by means of https with a certificate issued by a CA that is built-in with the most popular browsers/mail clients Summary: serve KEYS by means of https with a certificate issued by a CA that is built-in with the most popular browsers/mail clients Product: Apache httpd-2.0 Version: 2.0.32 Platform: Other URL: http://www.apache.org/dist/httpd/KEYS OS/Version: Other Status: NEW Severity: Normal Priority: Other Component: Documentation AssignedTo: [email protected] ReportedBy: [EMAIL PROTECTED] agreed, it is o.k. to provide http://www.apache.org/dist/httpd/httpd-2.0.43.tar.gz.asc without additional protection, but it would be good to serve the pgp verification keys from a more secure source. Sure, this is mingling the two trust models between x509 and PGP, but... - since no systematic mutual signing among the provided pgp keys took place ( i) Ben Laurie as the first entry in the file does have some other people endorsing him, but none out of the group featured in this file nor any among the people in the base public key file shipped by pgp at download and ii) even mod_ssl guru Engelschall appears not to be overtly trusted by anybody?) - since there are no phone numbers/URL to call and verify the fingerprint neither inside the PGP keys (admitted, as PGP only allows for e-mails and photos, going for any further binding of address information is not foreseen by the programm and would require overloading/misuing their "add name" feature) nor in the surrounding (unfortunately non-https) web pages. it may still be useful to add one such extra assurance (that admittedly has its own limitations) since most httpd admins never will bother properly bootstrapping the security of keys used for the signatures you provide. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
