https://issues.apache.org/ooo/show_bug.cgi?id=125210
Issue ID: 125210
Issue Type: DEFECT
Summary: Web-of-Trust problems with KEYS files
Product: General
Version: 4.0.1
Hardware: All
OS: All
Status: CONFIRMED
Severity: normal
Priority: P3
Component: security
Assignee: [email protected]
Reporter: [email protected]
Created attachment 83645
--> https://issues.apache.org/ooo/attachment.cgi?id=83645&action=edit
Typical PGP verification message when using the KEYS file provided.
For the verification of downloads, the KEYS file that is linked for PGP
verification are not kept current and only Herbert's is more than self-signed.
KEYS files are not automatically updated from key servers, although the ones at
<https://people.apache.org/keys/committer/> are routinely updated from PGP key
servers.
The first attachment indicates what an user of a PGP utility will see when
verifying the AOO 4.0.1 full en-US download PGP key. The second attachment is
the list of public key User-ID and co-signings that are found in the KEYS file
for [email protected]. The third attachment indicates the additional
counter-signing that is obtained with the key certificate at
<https://people.apache.org/keys/committer/jsc.asc>. Note that this lists
User-IDs for only those other public keys that an user has obtained, and in
this case trust is not elevated. The Warning message in the first attachment
still occurs.
Suggestions:
1. It might be better to have KEYS refer to the release-manager/signer key at
<https://people.apache.org/keys/committer/>. This will have all
counter-signatures of the key that are available on public key servers. It
will also reflect any revocation, were that to happen.
2. Although retrieving a key from <https://people.apache.org/keys/committer/>
is additional "proof" that the signer is the committer having control of an
Apache Committer account, there is an additional step that will strengthen that
claim. If committer public keys are submitted to the PGP Global Directory
service, that service will carry out an e-mail confirmation and countersign
those User-ID entries for which the email is confirmed. Retrieving the key
from the PGP Global Directory and posting it to a public key server will then
percolate that further counter-signing to the Apache list of committer keys.
The advantage of this is that if a PGP user gives the PGP Global Directory
service an intermediate trust level, this will strengthen the reliance
available to someone who does not know and have trusted keys of other cosigners
of the Apache committer's public key.
--
You are receiving this mail because:
You are watching all issue changes.
