Just for completeness for building an understanding what I have been capitalizing as the Apache Trust Chain:
1. There must also be understanding of the cert expiration and cert revocation cases. 2. As a demonstration for how it all comes down to the Apache logon for committers, consider the way that an SSH certificate is established for a people.apache.org account. The initial login is with the Apache Name/ID credentials and the password that goes with the account. Only then can the user upload an SSH certificate to the appropriate location for a certificate-based SSH login. I'm not suggesting that is a particular weakness (although folks provide a fair amount of trust to their peers on people.apache.org). The point is that it also stems from the foundation of the Apache Trust Chain. And so do the authz record entries, of course. -----Original Message----- From: Dennis E. Hamilton [mailto:orc...@apache.org] Sent: Wednesday, October 10, 2012 09:28 To: general@incubator.apache.org Subject: RE: key signing [ ... ] I think the fundamental problems are that (1) this trust structure is not widely understood, even among (new) committers, and (2) the process is opaque to external parties who might want to know how an external signature earns ASF trust. (I'm not certain that there are such folks, apart from security wonks and vulnerability seekers, but that is no reason to avoid an understandable, transparent account.) - Dennis PS: I do think one might want to threat-model the existing attack surface and see what can be done there. I am not sure it mitigates against malicious introduction of exploitable vulnerabilities, presumably the real concern. That requires examination of a much broader attack surface around all the ways code can be injected and vulnerabilities passed undetected into an Apache release. There is a high level of trust placed in the processes used, and it has little to do with the trustworthiness of digital certificates. -----Original Message----- From: Benson Margulies [mailto:bimargul...@gmail.com] Sent: Wednesday, October 10, 2012 04:20 To: general@incubator.apache.org Subject: Re: key signing I could argue that we'd be better-served with X.509 certs. An Apache CA could be programmed to issue a cert to each committer. Users would just verify the source CA, and we'd accomplish the goal of giving users assurance. [ ... ] --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
