On Tue, 8 Mar 2005, Curt Arnold <[EMAIL PROTECTED]> wrote: > From http://www.apache.org/~henkp/trust/apache.html, it seems like > it is no sin to sign a release with a key that has not yet been > cross-signed. 2/3 of keys used to release ASF software haven't been > cross-signed.
True, unfortunately. I guess Nicko and Yoav should be very interested in cross signing each others keys, given that Yoav signs Tomcat releases (you *do* sign them Yoav, don't you 8-). > The process described in http://www.apache.org/~henkp/trust/ > involves face-to-face meeting with government issued ID (passport, > drivers license). Dirk-Willem van Gulik frequently relates a story how he unintentionally traveled into a country using a dutch library card of his instead of his passport. "government issued ID" is fine in theory, but I wouldn't expect anybody to recognize my German passport, much less validate it. In reality things are a lot easier, you just need to get in touch first, which is the hard part. > Pretty easy if you live down the street from one of the existing ASF > web of trust members (likely in the Bay Area, not so likely anywhere > else). See <http://www.apache.org/~dirkx/sgala.html> which is based on information provided in the urls.txt file in the committers svn module that every Apache committer has write access to. > There was an "key signing" party at the last ApacheCON (and likely > one at ApacheCON Europe). I'm pretty sure there'll be one, yes. Maybe not organized, but at least I'll use every opportunity I can to sign keys and get mine signed. > If you'd like to get cross-signed now, you might post a message on > [EMAIL PROTECTED] asking for anyone near your location No, please don't use the [EMAIL PROTECTED] list, this one is a no-opt-out list for announcements only. [EMAIL PROTECTED] is more appropriate. Cheers Stefan -- http://stefanbodewig.blogger.de/
