On 4/27/07, Stefano Bagnara <[EMAIL PROTECTED]> wrote:
This is mainly for Norman, but maybe also others have an answer for me.
I just verified that Norman's Key in our KEYS file
(http://www.apache.org/dist/james/KEYS) is not updated.
The KEY present in that file has not been signed by anyone but
"self-signed".
Instead on public pgp servers I can find the same key signed by Noel,
Joachim and someone else.
Do we need to update the KEYS file to have only keys signed by ASF
trusted signers or we can leave this tasks to people wanting to verify
the web-of-trust?
not sure i have a direct answer
limiting the keys in the file to those that are deeply embedded in the
ASF web of trust is counterproductive: the KEYs file exists to allow
keys to be download directly from apache and this should only be
necessary when the keys are not strongly connected to the ASF web of
trust.
in most cases, it should not be necessary to keep the keys in the KEYs
file up to date. users should refresh their list of keys before
verifying a signature and the correct process when verifying a release
using KEYs is to note the fingerprint for the expected key. (not sure
how many users do this, though.)
when a key or sub-key is revoked, all KEYs files should be updated to
contain the revocation certificate.
(i'll update the FAQ http://www.apache.org/dev/release-signing.html)
- robert
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
