DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=15622>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=15622 serve KEYS by means of https with a certificate issued by a CA that is built-in with the most popular browsers/mail clients ------- Additional Comments From [EMAIL PROTECTED] 2003-02-17 18:38 ------- Aaron: <<2) We should not imply to anyone that by downloading the KEYS file from an SSL server that they can suddenly trust the _contents_ of the KEYS file. Sure, they can better trust that the contents weren't altered during transmission ...>> It would be sad, if legitimate, but half-thought through legal questions result in a service degradation. Therefore I suggest to 1) Further add to the KEYS file: <<On apache's own site and some mirrors, you can download the KEYS under https. This reduces the exposure to some imaginable attacks, but this by no means implies that this file is authentic. For the proper way to determine whether you are satisfied with the KEYS' authenticity, please consult http://www.gnupg.org/gph/en/manual.html#AEN335>> 2) If you deem the "provided as is" part in http://www.apache.org/LICENSE.txt to be insufficient protection for the foundation, perhaps it is time to add general Terms&Conditions (e.g. as http://www.apache.org/foundation/T_and_C.html) to the site every visitor/user has to abide by to remedy that. If you want an example for such T&Cs, I am happy to provide one, but I am sure you have the better lawyers than I do ... Perhaps I should open two separate RFEs for 1) and 2)? --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
