There is value of the external signature for attesting something about the creation of the artifact. The digest simply demonstrates that the artifact is intact.
I've already agreed that the signing of other people's certificate is not that valuable in the case of Apache releases. Because of the security of Apache credentials, confirming a certificate is easy: Import the certificate located on the Apache site into your favorite key (certificate) store. Send an encrypted message to the corresponding name@ apache.org. Have the recipient send the decrypted message back to you encrypted with your public key (also identified in the message, etc.) If the recipient doesn't receive it or can't return the decrypted message, don't trust the public key cert. You can probably indicate the key is trusted by you, locally, if the exercise succeeds. You don't have to do a WoT signing though. This is a pretty standard ceremony for an e-mail "non-persona." - Dennis -----Original Message----- From: Greg Stein [mailto:[email protected]] Sent: Wednesday, October 10, 2012 16:45 To: [email protected] Subject: Re: key signing I've read this entire thread (whew!), and would actually like to throw out a contrary position: No signed keys. Consider: releases come from the ASF, not a person. The RM builds the release artifacts and checks them into version control along with hash "checksums". Other PMC members validate the artifacts for release criteria and matching checksums, voting +1 via version control. All of the above is done via authenticated ASF accounts. The above establishes an ASF release. Please explain how "keys" are needed for this ASF release? Consumers are already told to verify the SHA1 and nothing more. I doubt any more is needed. (assume secure Infrastructure) Cheers, -g [ ... ] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
