On Mon, Oct 15, 2012 at 1:46 PM, Benson Margulies bimargul...@gmail.comwrote:
1) send email to him and his PMC fellows, referencing this thread, as
evidence that key signing is nice but optional.
This seems like the most sensible option.
AFAIK, signed keys have never been required to sign
It had to be done, given this thread's epic proportions... ;)
[image: Identity]
http://xkcd.com/1121/
On Fri, Oct 5, 2012 at 1:04 PM, Benson Margulies bimargul...@gmail.comwrote:
I'm offering this discussion here, but it might need to go elsewhere
if it goes anywhere at all.
It seems to me
Now I have a practical problem. I've received email from a committer
on a project. I have met him in person -- some years ago. I helped him
get started at Apache. His fellow PMC members are telling him that
it's *necessary* for him to come up with one or more signatures on his
key to act at an RM.
On Mon, 15 Oct 2012, Benson Margulies wrote:
Choices:
There is another option, which I mentioned in the other key signing thread
on members@, which applies equally here too. Reposting my answer from
there, with a few tweaks...
In-person keysigning doesn't just have to be at ApacheCons,
On Mon, Oct 15, 2012 at 5:46 AM, Benson Margulies bimargul...@gmail.com wrote:
Now I have a practical problem. I've received email from a committer
on a project. I have met him in person -- some years ago. I helped him
get started at Apache. His fellow PMC members are telling him that
it's
On Mon, Oct 15, 2012 at 6:02 AM, Nick Burch apa...@gagravarr.org wrote:
So, for a short-term fix for your potential Release Manger, I'd suggest you
get them in touch with a nearby local mentor.
Why is raising the barrier to entry for new Release Managers better than
having multiple experienced
this is fetched from, so I'm not sure how counter-signed versions
show up.)
I am continuing to experiment.
-Original Message-
From: Benson Margulies [mailto:bimargul...@gmail.com]
Sent: Monday, October 15, 2012 05:46
To: general@incubator.apache.org
Subject: Re: key signing
Now I have
Dennis E. Hamilton wrote on Mon, Oct 15, 2012 at 11:07:56 -0700:
https://people.apache.org/keys/committer/orcmid.asc. (I'm not sure
where this is fetched from, so I'm not sure how counter-signed versions
Currently keys.gnupg.net
, October 15, 2012 11:22
To: Dennis E. Hamilton
Cc: general@incubator.apache.org
Subject: Re: key signing
Dennis E. Hamilton wrote on Mon, Oct 15, 2012 at 11:07:56 -0700:
https://people.apache.org/keys/committer/orcmid.asc. (I'm not sure
where this is fetched from, so I'm not sure how counter-signed
Greg Stein wrote on 10/10/12 6:44 PM:
I've read this entire thread (whew!), and would actually like to throw out
a contrary position:
No signed keys.
+1
--
Peter Karman . http://peknet.com/ . pe...@peknet.com
-
To
On 10.10.2012 00:01, Marvin Humphrey wrote:
While this protocol does not rely heavily on validating
government-issued IDs, the Debian guidelines quoted above point out
that some people object to giving such IDs too much creedence:
So instead of giving too much credence to government-issued
On 11 Oct 2012, at 00:44, Greg Stein wrote:
Please explain how keys are needed for this ASF release? Consumers are
already told to verify the SHA1 and nothing more. I doubt any more is
needed.
SHA1 offers no more protection than a checksum against MITM attack.
(assume secure
On 11 October 2012 02:39, Daniel Shahaf d...@daniel.shahaf.name wrote:
Greg Stein wrote on Wed, Oct 10, 2012 at 21:31:30 -0400:
Not too much. We still instruct users take the signatures and verify
them against blah.apache.org/KEYS. John Blackhat could replace the
signatures and install his
On Thu, Oct 11, 2012 at 9:01 AM, Nick Kew n...@apache.org wrote:
You have to extend that assumption not only to our infrastructure but to
every proxy that might come between us and a user, and that might
substitute a trojan along with the trojan's own SHA1.
The same reasoning holds for the
On Thu, Oct 11, 2012 at 9:48 AM, sebb seb...@gmail.com wrote:
On 11 October 2012 02:39, Daniel Shahaf d...@daniel.shahaf.name wrote:
Greg Stein wrote on Wed, Oct 10, 2012 at 21:31:30 -0400:
Not too much. We still instruct users take the signatures and verify
them against
On Thu, Oct 11, 2012 at 10:57 AM, Noah Slater nsla...@tumbolia.org wrote:
Which is why we link to the .md5, .sha, .asc, and KEYS files on our severs.
Unless you're assuming a MITM along the request/response path to apache.org,
in which case all bets are off anyway. No?
Which is why I have my
sebb wrote on Thu, Oct 11, 2012 at 09:48:25 +0100:
On 11 October 2012 02:39, Daniel Shahaf d...@daniel.shahaf.name wrote:
Greg Stein wrote on Wed, Oct 10, 2012 at 21:31:30 -0400:
Not too much. We still instruct users take the signatures and verify
them against blah.apache.org/KEYS. John
On 11 Oct 2012, at 13:19, Benson Margulies wrote:
Over and above that, we could then ask, 'how could we improve
protection against most complex problems?'
Now that's something the ASF might indeed be well-qualified to hack.
Improved end-user tools (e.g. browser plugins) to take advantage of
steps at all, other than pay attention to the warning
dialogs that the platform coughs up.
-Original Message-
From: Benson Margulies [mailto:bimargul...@gmail.com]
Sent: Thursday, October 11, 2012 05:20
To: general@incubator.apache.org
Subject: Re: key signing
Greg having more or less
On 11 Oct 2012, at 09:57, Noah Slater wrote:
On Thu, Oct 11, 2012 at 9:01 AM, Nick Kew n...@apache.org wrote:
You have to extend that assumption not only to our infrastructure but to
every proxy that might come between us and a user, and that might
substitute a trojan along with the
to checking digital signatures on release candidates
and in any subsequent forensic investigation/confirmation.
- Dennis
-Original Message-
From: Dennis E. Hamilton [mailto:orc...@apache.org]
Sent: Thursday, October 11, 2012 08:19
To: general@incubator.apache.org
Subject: RE: key signing
it is noticed is an aspect of WoT that I have not investigated.)
-Original Message-
From: Nick Kew [mailto:n...@webthing.com]
Sent: Thursday, October 11, 2012 06:46
To: general@incubator.apache.org
Subject: Re: key signing
On 11 Oct 2012, at 09:57, Noah Slater wrote:
On Thu, Oct 11
On 11 Oct 2012, at 17:14, Dennis E. Hamilton wrote:
@Nick
I don't understand the supposed attack vector concerning the file digests
being of no value and the WoT being essential.
- Dennis
ANALYSIS
So long as the digest value is obtained from a reliable read-only source, it
On Thu, Oct 11, 2012 at 12:00 AM, Branko Čibej br...@apache.org wrote:
So instead of giving too much credence to government-issued IDs, you'd
prefer to give credence to a service provided for free by a commercial
entity with a conceivable interest in inserting backdoors in software or
On Wed, Oct 10, 2012 at 2:36 PM, Nick Kew n...@apache.org wrote:
On 10 Oct 2012, at 17:04, Marvin Humphrey wrote:
In my opinion, we have sufficient expertise here at the ASF to devise an
authentication protocol whose reliability exceeds that of individuals
participating unsupervised in a web
factors are you thinking of? (I
am not sure how many factors signings by others count as new factors.)
- Dennis
-Original Message-
From: Marvin Humphrey [mailto:mar...@rectangular.com]
Sent: Thursday, October 11, 2012 11:46
To: general@incubator.apache.org
Subject: Re: key signing
On Wed
Marvin Humphrey wrote on Thu, Oct 11, 2012 at 11:46:23 -0700:
On Wed, Oct 10, 2012 at 2:36 PM, Nick Kew n...@apache.org wrote:
On 10 Oct 2012, at 17:04, Marvin Humphrey wrote:
In my opinion, we have sufficient expertise here at the ASF to devise an
authentication protocol whose
Marvin Humphrey wrote on Thu, Oct 11, 2012 at 11:46:23 -0700:
In my opinion, general@incubator is an appropriate venue to explore ways in
which the system can be improved. That will necessarily mean talking about
I am sure there are crypto minds in the ASF who aren't on general@incubator.
On Thu, Oct 11, 2012 at 1:29 PM, Daniel Shahaf d...@daniel.shahaf.name wrote:
1) RM prepares tarball, signs, uploads for voting
2) voting passes
3) mentor appends his signature to the .asc file
4) artifacts posted to dist/
That solves the problem for end users until the RM attends a
Can you clarify? I understand that being able to speak to someone face to
face, and seeing their mannerisms and expressions, allows you to understand
them better. Some deep rooted human thing. But how does this impact
security or trust, in the context of key signing?
On Wed, Oct 10, 2012 at 4:00
A different angle.
Noah asks me to sign his key.
Noah tells me that he's committed it to KEYS for CloudStack in svn
revision 314159.
I examine that revision and see that it was made by, indeed, noah's
Apache ID, which is associated with a particular email address.
I send email to secretary@,
On 10 Oct 2012, at 11:25, Benson Margulies wrote:
I then feel that it's perfectly reasonable to sign a key that has two
things in it: the name Noah Slater and nsla...@apache.org, because if
this process doesn't verify an adequate association, then no one can
trust the Apache IP process,
On Wed, Oct 10, 2012 at 6:52 AM, Nick Kew n...@apache.org wrote:
On 10 Oct 2012, at 11:25, Benson Margulies wrote:
I then feel that it's perfectly reasonable to sign a key that has two
things in it: the name Noah Slater and nsla...@apache.org, because if
this process doesn't verify an
Comments:
- For many people, ensuring that the human who holds a specific key is
the same one who has been using the j...@doe.foo email address and the
john...@apache.org SVN/GIT account over a period of time is what is most
important. Less important is ensuring that that human's legal name
Anyone interested in details of PGP signing and tracing trust paths at
the ASF should say thank you to long-time member henkp who has done a
ton of work documenting and verifying release signing and keys:
https://people.apache.org/~henkp/trust/
- Shane
On 10/8/2012 6:37 PM, Noah Slater
Sent from my iPhone
On Oct 10, 2012, at 2:47 AM, Noah Slater nsla...@tumbolia.org wrote:
Can you clarify? I understand that being able to speak to someone face to
face, and seeing their mannerisms and expressions, allows you to understand
them better. Some deep rooted human thing. But how
On 10 October 2012 15:20, Ted Dunning ted.dunn...@gmail.com wrote:
Sent from my iPhone
On Oct 10, 2012, at 2:47 AM, Noah Slater nsla...@tumbolia.org wrote:
Can you clarify? I understand that being able to speak to someone face to
face, and seeing their mannerisms and expressions, allows
On 10 Oct 2012, at 12:20, Benson Margulies wrote:
Nick: On the one hand, how is trusting the Apache process better or
worse than trusting the State of Massachusetts?
When I sign a key I'm basing it on more information than that.
Either it's a one-off, when I have additional knowledge of
Hi Benson,
A different angle.
Noah asks me to sign his key.
Noah tells me that he's committed it to KEYS for CloudStack in svn
revision 314159.
I examine that revision and see that it was made by, indeed, noah's
Apache ID, which is associated with a particular email address.
I send
On Wed, Oct 10, 2012 at 7:19 AM, Nick Kew n...@webthing.com wrote:
On 10 Oct 2012, at 12:20, Benson Margulies wrote:
Nick: On the one hand, how is trusting the Apache process better or
worse than trusting the State of Massachusetts?
When I sign a key I'm basing it on more information than
On Wed, Oct 10, 2012 at 8:11 AM, Florian Holeczek flor...@holeczek.de wrote:
However, what would now be totally wrong IMO is, that some guys in the ASF
redefine these rules in order to make the process of release signing more
simple. In the WoT big picture, this would automatically mean that
with the trustworthiness of digital certificates.
-Original Message-
From: Benson Margulies [mailto:bimargul...@gmail.com]
Sent: Wednesday, October 10, 2012 04:20
To: general@incubator.apache.org
Subject: Re: key signing
I could argue that we'd be better-served with X.509 certs.
An Apache CA
: Dennis E. Hamilton [mailto:orc...@apache.org]
Sent: Wednesday, October 10, 2012 09:28
To: general@incubator.apache.org
Subject: RE: key signing
[ ... ]
I think the fundamental problems are that (1) this trust structure is not
widely understood, even among (new) committers, and (2) the process
Hi Marvin,
On Wed, Oct 10, 2012 at 8:11 AM, Florian Holeczek flor...@holeczek.de wrote:
However, what would now be totally wrong IMO is, that some guys in the ASF
redefine these rules in order to make the process of release signing more
simple. In the WoT big picture, this would automatically
On Wed, Oct 10, 2012 at 3:20 PM, Ted Dunning ted.dunn...@gmail.com wrote:
I have friends who live far away. I know them well. I don't know their
key fingerprint.
If we send emails or if we text back and forth I not clear that it is
them. If I have a video conference and the hold up the
I've said it already in this thread, but I will say it one last time before
I drop it. Archiving video provides zero benefits, beyond the human to
human connection of seeing what somebody looks like. It provides no way to
establish identity or ownership of email/keys that email does not already
Just to be clear, I don't think I've ever signed a key in my life. In
part, because this criteria seem impossibly mushy.
-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail:
Most people develop their own key signing policy and publish it. Or
organisations as a whole do, and ask their members to adhere to it.
Something which we might want to consider formalising.
On Wed, Oct 10, 2012 at 10:18 PM, Benson Margulies bimargul...@gmail.comwrote:
Just to be clear, I don't
This is awesome! Unfortunately I (61D50B88) am not in the strong set.
Bummer. :(
On Wed, Oct 10, 2012 at 2:43 PM, Shane Curcuru a...@shanecurcuru.org wrote:
Anyone interested in details of PGP signing and tracing trust paths at the
ASF should say thank you to long-time member henkp who has
On 10 Oct 2012, at 17:04, Marvin Humphrey wrote:
In my opinion, we have sufficient expertise here at the ASF to devise an
authentication protocol whose reliability exceeds that of individuals
participating unsupervised in a web of trust, particularly if the protocol
were to incorporate
I've read this entire thread (whew!), and would actually like to throw out
a contrary position:
No signed keys.
Consider: releases come from the ASF, not a person. The RM builds the
release artifacts and checks them into version control along with hash
checksums. Other PMC members validate the
On Oct 11, 2012, at 10:44 AM, Greg Stein gst...@gmail.com wrote:
(assume secure Infrastructure)
That's a pretty big assumption isn't it?
There have been public instances where open source infrastructures have been
hacked, and releases have been messed with.
I think keys removes the need
Ian Holsman wrote on Thu, Oct 11, 2012 at 10:53:11 +1100:
On Oct 11, 2012, at 10:44 AM, Greg Stein gst...@gmail.com wrote:
(assume secure Infrastructure)
That's a pretty big assumption isn't it?
There have been public instances where open source infrastructures have been
hacked,
Greg Stein wrote on Wed, Oct 10, 2012 at 19:44:30 -0400:
I've read this entire thread (whew!), and would actually like to throw out
a contrary position:
No signed keys.
Consider: releases come from the ASF, not a person.
Therefore, releases should be signed by the ASF as an organisation,
On Wed, Oct 10, 2012 at 9:10 PM, Daniel Shahaf d...@daniel.shahaf.name wrote:
Greg Stein wrote on Wed, Oct 10, 2012 at 19:44:30 -0400:
I've read this entire thread (whew!), and would actually like to throw out
a contrary position:
No signed keys.
Consider: releases come from the ASF, not a
though.
This is a pretty standard ceremony for an e-mail non-persona.
- Dennis
-Original Message-
From: Greg Stein [mailto:gst...@gmail.com]
Sent: Wednesday, October 10, 2012 16:45
To: general@incubator.apache.org
Subject: Re: key signing
I've read this entire thread (whew
On Wed, Oct 10, 2012 at 7:53 PM, Ian Holsman i...@holsman.com.au wrote:
On Oct 11, 2012, at 10:44 AM, Greg Stein gst...@gmail.com wrote:
(assume secure Infrastructure)
That's a pretty big assumption isn't it?
Empirically, we've had break-ins, so we can assume it will happen
again. But now
Greg Stein wrote on Wed, Oct 10, 2012 at 21:14:15 -0400:
On Wed, Oct 10, 2012 at 9:10 PM, Daniel Shahaf d...@daniel.shahaf.name
wrote:
Greg Stein wrote on Wed, Oct 10, 2012 at 19:44:30 -0400:
I've read this entire thread (whew!), and would actually like to throw out
a contrary position:
Greg Stein wrote on Wed, Oct 10, 2012 at 21:31:30 -0400:
Not too much. We still instruct users take the signatures and verify
them against blah.apache.org/KEYS. John Blackhat could replace the
signatures and install his entry into KEYS.
If you use https://people.apache.org/keys/ instead of
On Wed, Oct 10, 2012 at 9:35 PM, Daniel Shahaf d...@daniel.shahaf.name wrote:
Greg Stein wrote on Wed, Oct 10, 2012 at 21:14:15 -0400:
...
My point is that our instructions to users don't really incorporoate
the notions of keys, and (thus) provide near-zero utility. For such
So, provide
Greg Stein wrote on Wed, Oct 10, 2012 at 21:40:18 -0400:
On Wed, Oct 10, 2012 at 9:35 PM, Daniel Shahaf d...@daniel.shahaf.name
wrote:
Greg Stein wrote on Wed, Oct 10, 2012 at 21:14:15 -0400:
...
My point is that our instructions to users don't really incorporoate
the notions of keys,
On Mon, Oct 8, 2012 at 2:24 PM, Noah Slater nsla...@tumbolia.org wrote:
1. The key owner convinces the signer that the identity in the UID is
indeed their own identity by whatever evidence the signer is willing to
accept as convincing. Usually this means the key owner must present a
government
What, precisely, does a video call actually provide?
The point of meeting in person is to verify photo IDs. Just talking to
somebody with a face doesn't prove anybody. I am fairly certain that YOU
have a face, and I have never even seen it. If all you're doing is having a
chit chat and swapping
If you know the person, it adds something that you don't get.
On Tue, Oct 9, 2012 at 3:40 PM, Noah Slater nsla...@tumbolia.org wrote:
What, precisely, does a video call actually provide?
The point of meeting in person is to verify photo IDs. Just talking to
somebody with a face doesn't prove
-Original Message-
From: Marvin Humphrey [mailto:mar...@rectangular.com]
Sent: Friday, October 05, 2012 8:54 PM
To: general@incubator.apache.org
Subject: Re: key signing
On Fri, Oct 5, 2012 at 8:55 AM, Jukka Zitting jukka.zitt...@gmail.com wrote:
It's good to recommend people to get
On 08.10.2012 13:44, Franklin, Matthew B. wrote:
-Original Message-
From: Marvin Humphrey [mailto:mar...@rectangular.com]
Sent: Friday, October 05, 2012 8:54 PM
To: general@incubator.apache.org
Subject: Re: key signing
On Fri, Oct 5, 2012 at 8:55 AM, Jukka Zitting jukka.zitt
On Mon, Oct 8, 2012 at 7:36 AM, Branko Čibej br...@apache.org wrote:
What guarantee do you have that a particular Skype ID is whoever you
think it is? None at all, unless the person involved looked at your
Skype contact list and said, yeah, that's me. Likewise for Google
Hangout. As long as
On 08.10.2012 17:43, Marvin Humphrey wrote:
On Mon, Oct 8, 2012 at 7:36 AM, Branko Čibej br...@apache.org wrote:
What guarantee do you have that a particular Skype ID is whoever you
think it is? None at all, unless the person involved looked at your
Skype contact list and said, yeah, that's
On Mon, Oct 8, 2012 at 11:43 AM, Marvin Humphrey mar...@rectangular.com wrote:
On Mon, Oct 8, 2012 at 7:36 AM, Branko Čibej br...@apache.org wrote:
What guarantee do you have that a particular Skype ID is whoever you
think it is? None at all, unless the person involved looked at your
Skype
@incubator.apache.org
Subject: Re: key signing
[ ... ]
In my opinion, that's vanishingly unlikely, and so the best we can do
is to allow users to verify that the signature was, in fact, made by
the 'Apache hat' that it claimed to be made by. Using the keys in
KEYS, or the fingerprints from LDAP
-Original Message-
From: Benson Margulies [mailto:bimargul...@gmail.com]
Sent: Monday, October 08, 2012 08:54
To: general@incubator.apache.org
Subject: Re: key signing
[ ... ]
In my opinion, that's vanishingly unlikely, and so the best we can do
is to allow users to verify that the signature
On Mon, Oct 8, 2012 at 4:53 PM, Benson Margulies bimargul...@gmail.comwrote:
On Mon, Oct 8, 2012 at 11:43 AM, Marvin Humphrey mar...@rectangular.com
wrote:
...
In this respect e-mail is just as secure, so why don't we all just sign
keys because someone claiming to be from from Chad sent
On Mon, Oct 8, 2012 at 8:51 AM, Branko Čibej br...@apache.org wrote:
It says clearly, as long as you can guarantee that you are
communicating with the key's true owner. Which was exactly my point.
I assert a virtual key-signing party protocol incorportating Google Plus
Hangouts could offer
On Mon, Oct 8, 2012 at 7:46 PM, Marvin Humphrey mar...@rectangular.comwrote:
On Mon, Oct 8, 2012 at 8:51 AM, Branko Čibej br...@apache.org wrote:
It says clearly, as long as you can guarantee that you are
communicating with the key's true owner. Which was exactly my point.
I assert a
On Mon, Oct 8, 2012 at 4:53 PM, Benson Margulies bimargul...@gmail.comwrote:
There's another side to this, which I would derisively label, 'so
what'? How does it help a user to see that my key is signed by 27 of
my fellow Apache contributors, if the user has never met any of us,
and has
This is an important point.
Debian has a complete toolset and guidelines for managing this.
http://www.debian.org/events/keysigning
To quote:
People should only sign a key under at least two conditions:
1. The key owner convinces the signer that the identity in the UID is
indeed their own
On Mon, Oct 8, 2012 at 5:18 PM, Noah Slater nsla...@tumbolia.org wrote:
On Mon, Oct 8, 2012 at 4:53 PM, Benson Margulies bimargul...@gmail.comwrote:
There's another side to this, which I would derisively label, 'so
what'? How does it help a user to see that my key is signed by 27 of
my
Perhaps not Tomcat, but the entire Foundation and all of it's current and
future projects should be under consideration here. The long and short of
it is that key signing can't hurt. And a key signing guide certainly can't
hurt. RMs should feel free to do this, if they are interested in it, and
Caveat: But I do think that if we do have a key signing guide (and I think
we should) then it should be strict about our standards. (i.e. when and
when not to sign somebody's key. Basic QA on what sort of trust we're
trying to build here.)
On Mon, Oct 8, 2012 at 11:15 PM, Noah Slater
On Mon, Oct 8, 2012 at 6:15 PM, Noah Slater nsla...@tumbolia.org wrote:
Perhaps not Tomcat, but the entire Foundation and all of it's current and
future projects should be under consideration here. The long and short of
it is that key signing can't hurt. And a key signing guide certainly can't
Let's try a little statistically-invalid experiment of sample size
one. The last time I had a key signed at Apache, it was by Dan Kulp.
Now, pretend that you are a suspicious user of one of the many Maven
plugins releases that I RM. Can you reach Dan from yourself in the
web? Is there anyone you,
I don't know how to check that. Heh. Would be interested in giving it a
shot. Are there tools to look up graphs?
On Mon, Oct 8, 2012 at 11:23 PM, Benson Margulies bimargul...@gmail.comwrote:
Let's try a little statistically-invalid experiment of sample size
one. The last time I had a key
Found one... Just poking around manually...
J. Daniel Kulp dk...@apache.org
http://pgp.mit.edu:11371/pks/lookup?op=vindexsearch=0x858FC4C4F43856A3
Signed by Carsten Ziegeler cziege...@apache.org
http://pgp.mit.edu:11371/pks/lookup?op=vindexsearch=0x132E49D4E41EDC7E
Signed by Marcus Crafter
On 10/5/2012 8:04 AM, Benson Margulies wrote:...
As far as I can see, we don't do anything to facilitate or encourage
getting PGP keys signed. We tell people to create a key and put it in
the SVN 'keys' file.
Key signing strikes me as a bit of a conundrum for us. In all other
respects, we
Shane,
After reading all the responses, I'm no longer very interested in
pushing the idea of key signing. I am much more interested in
explaining to users the existence and use of the LDAP keys.
We can explain: If something is signed with a key associated with an
Apache committer via the Apache
-
From: Benson Margulies [mailto:bimargul...@gmail.com]
Sent: Sunday, October 07, 2012 08:32
To: general@incubator.apache.org
Subject: Re: key signing - issues
Shane,
After reading all the responses, I'm no longer very interested in
pushing the idea of key signing. I am much more interested
Benson Margulies wrote on Fri, Oct 05, 2012 at 08:04:04 -0400:
Alternatively, since the chain is CLA - svn access - unsigned key in
svn, perhaps all we really need is to document that a signature
corresponding to a key in svn is really good enough, and users need
not be concerned further.
Daniel Shahaf wrote on 05.10.2012 at 15:15:
Benson Margulies wrote on Fri, Oct 05, 2012 at 08:04:04 -0400:
Alternatively, since the chain is CLA - svn access - unsigned key in
svn, perhaps all we really need is to document that a signature
corresponding to a key in svn is really good enough,
HI,
On Fri, Oct 5, 2012 at 3:15 PM, Daniel Shahaf d...@daniel.shahaf.name wrote:
Downloading keys from https://www.apache.org/dist/ or
https://people.apache.org/keys/ is good enough enough for users who
trust root@ and Thawte.
+1
It's good to recommend people to get their keys signed by
Hi Florian,
On Oct 5, 2012, at 8:44 AM, Florian Holeczek wrote:
if I understood the Apache pseudonym rules right, the only one who
would be able to sign such a key was secretary@, since it's the only
one who knows the pseudonym's real identity.
The ICLA documents are available to all
Craig L Russell wrote on Fri, Oct 05, 2012 at 08:59:26 -0700:
Hi Florian,
On Oct 5, 2012, at 8:44 AM, Florian Holeczek wrote:
if I understood the Apache pseudonym rules right, the only one who
would be able to sign such a key was secretary@, since it's the only
one who knows the
On Fri, Oct 5, 2012 at 4:42 PM, Juan Pablo Santos Rodríguez
juanpablo.san...@gmail.com wrote:
Hi,
picking up Benson's initial question, just my 2c: how about encouraging a
key signing party (or something alike, but more informal and/or with fewer
people) through general@i.a.o for every
Benson Margulies wrote on Fri, Oct 05, 2012 at 17:12:27 -0400:
Oh Secretary, why not create a 'role' PGP key and use it?
Because it's harder to implement than to state, and no one has
identified a need for it.
-
To unsubscribe,
Hi Benson,
On Oct 5, 2012, at 2:12 PM, Benson Margulies wrote:
On Fri, Oct 5, 2012 at 4:42 PM, Juan Pablo Santos Rodríguez
juanpablo.san...@gmail.com wrote:
Hi,
picking up Benson's initial question, just my 2c: how about
encouraging a
key signing party (or something alike, but more
Craig,
I appreciate the general scheme of signing.
It seems as if we have two approaches to key trust. One is the
in-person web of trust, and the other is the CLA - account -
key-in-ldap/svn. Given the Foundations' emphasis on geographic
diversity, the later seems to me to be more appropriate. I
On Fri, Oct 5, 2012 at 8:55 AM, Jukka Zitting jukka.zitt...@gmail.com wrote:
It's good to recommend people to get their keys signed by someone in
the Apache web of trust and I think we could do more in that area,
Maybe if we didn't insist on face-to-face meetings we'd get better adoption
rates.
On Sat, 2009-10-03 at 16:43 +0800, Niclas Hedhman wrote:
On Sat, Oct 3, 2009 at 3:34 AM, Paul Lindner lind...@inuus.com wrote:
Hi,
Over in the shindig podling we've been working on our 1.1 release. During
the voting process it was mentioned that my gpg key is not part of the
apache web of
On Sat, Oct 3, 2009 at 3:34 AM, Paul Lindner lind...@inuus.com wrote:
Hi,
Over in the shindig podling we've been working on our 1.1 release. During
the voting process it was mentioned that my gpg key is not part of the
apache web of trust.
* We have the +1s for shindig-1.1-BETA3, does this
Hi Janne,
I will be traveling to Helsinki within the next 6 months (probably).
If you're on tripit you can watch for my trip (in case I forget for
some reason to let you know).
Craig
On Sep 23, 2008, at 11:36 PM, Janne Jalkanen wrote:
So you assume that that www.apache.org can not be
Hi,
On Wed, Sep 24, 2008 at 8:36 AM, Janne Jalkanen
[EMAIL PROTECTED] wrote:
Any people near Helsinki, Finland who are willing to have a coffee and sign
my key? ;-)
I'll be in Helsinki for two weeks after the ApacheCon US.
BR,
Jukka Zitting
1 - 100 of 102 matches
Mail list logo
