On Friday, February 28, 2003, at 01:32 AM, <[EMAIL PROTECTED]> wrote:
G'day Shane,
Shane Curcuru wrote
Let's make sure we keep this focused on the basics. I don't think we have
the need or resources to setup our own PGP keyserver; there are plenty
already out there (http://pgpkeys.mit.edu/ seems popular with
Apacheites). Plus I think infrastructure@ and others are already working
on secure ways to get KEYS files directly from an ASF machine securely,
which will solve the trusted distribution of keys problem.
So exactly what is the aim of the game here? Happy to agree that a keyserver may be over the top, but a mechanism that conveys an Apache keyring to end users of Apache software would surely have to be a good thing? If we are serious about secure software distribution (and I think we are, given we are taking the trouble to sign the releases in the first place), then surely we should also be serious about how we extend that security into user-land.
I'd also be interested in what you mean by "a secure ways to get KEYS files directly from an ASF machine"? Surely a key is either in the web of trust (whatever that means to us) or not. The fact is resides on an ASF machine doesn't necessarily mean that we should put a high degree of trust in it.
suppose a key resides on an ASF machine. if you download a release from a third party machine that is correctly signed with that key, how far can you trust that release? in particular, is it more or less safe than downloading an unsigned release directly from an ASF machine.
well, if the ASF machine has been compromised, both situations are equally untrustworthy.
so, let's assume that the ASF machine has not been compromised. so, the key downloaded from the server can be as trusted as the release downloaded from the server. if the key has been compromised, it means that the release manager's machine has been compromised. but in this case, the unsigned release must also be suspect.
therefore, it seems to me that a release signed by a key which resides on an ASF machine can be trusted as much as a release downloaded directly from an ASF machine.
so, in security terms, moving from unsigned releases on an ASF machine to signed releases on mirror with keys on ASF machines is security neutral.
moving to a secure apache wide system of signed keys would be a definite improvement. (but there may be practical problems to be overcome.)
- robert
--------------------------------------------------------------------- In case of troubles, e-mail: [EMAIL PROTECTED] To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
