Sorry if I was unclear. I think that we should coordinate with infrastructure@ and give input to how this should work ASF wide.
Ted ----- Original Message ----- From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, February 27, 2003 5:32 PM Subject: Re: PMC Work Items > G'day Shane, > > > Shane Curcuru wrote > > > Let's make sure we keep this focused on the basics. I don't think we have > > the need or resources to setup our own PGP keyserver; there are plenty > > already out there (http://pgpkeys.mit.edu/ seems popular with > > Apacheites). Plus I think infrastructure@ and others are already working > > on secure ways to get KEYS files directly from an ASF machine securely, > > which will solve the trusted distribution of keys problem. > > > > So exactly what is the aim of the game here? > Happy to agree that a keyserver may be over the > top, but a mechanism that conveys an Apache > keyring to end users of Apache software would > surely have to be a good thing? If we are serious > about secure software distribution (and I think > we are, given we are taking the trouble to sign > the releases in the first place), then surely we > should also be serious about how we extend that > security into user-land. > > I'd also be interested in what you mean by "a secure > ways to get KEYS files directly from an ASF > machine"? Surely a key is either in the web of > trust (whatever that means to us) or not. The > fact is resides on an ASF machine doesn't > necessarily mean that we should put a high degree > of trust in it. > > BTW - That's not in any way having a > go at the security of ASF machines. That's simply > saying that you are basing the trust you place on > a cryptographic key on the security of a > password. Seems a bit contradictory? > > Or have I read the whole thing wrong :>. > > > One thing we do need is more prominently published how-tos for using PGP > > (or GPG, or older or newer versions of PGP, all of which are different) > > both for signing and verifying. There are a number of snippets on various > > download pages, and a couple of sites on the web with descriptions, but > > it'd be nice to have more details specifically for both committers and users. > > Absolutely agree! I'd also say the how-to should > extend to a minimum set of requirements we would > like to see in place before a key is signed. > > Cheers, > Berin > > > This message was sent through MyMail http://www.mymail.com.au > > > > --------------------------------------------------------------------- > In case of troubles, e-mail: [EMAIL PROTECTED] > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- In case of troubles, e-mail: [EMAIL PROTECTED] To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
