On Tue, 17 Apr 2007, Gilles Scokart <[EMAIL PROTECTED]> wrote:
> Hey, Xavier is not the only interested by your explanation.
Then I'm glad I didn't send it in a private mail 8-)
> But it raises a few questions:
>
> - When I'm a user of apache libraries, and I don't know personally
> any public key of any member of the apache community, how can I
> verify that the thing I downloaded is signed by someone member of
> the project? In other word, how can I obtain the public keys?
In this case it is in the KEYS file and is mine. Most projects
provide KEYS files.
In addition my key like most any OpenPGP key can be found on a network
of key servers[1]. Depending on your OpenPGP implementation it may
offer to download the key from the keyservers when you try to verify
the signature.
> - Why is apache not being a certificate authority?
OpenPGP doesn't use a central authority and this is deliberately. It
is more like a peer to perr sort of certification. Why should I trust
Versign? Just because the manufacturer of my browser of choice does?
The idea of having some central authority at the ASF that can sign
committer keys has come up every now and then. There are a few
infrastructure issues to consider (where to store the private key
securely, for example).
Hope that helps
Stefan
Footnotes:
[1] For example go to <http://pgpkeys.mit.edu/> and enter my key's ID
(5F6B8B72) or my email address.
