incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Burrell Donkin" <>
Subject Re: enforced signing of artifacts, [was maven repository]
Date Tue, 03 Jun 2008 06:56:53 GMT
On 6/2/08, Noel J. Bergman <> wrote:
> Robert Burrell Donkin wrote:
>> my conclusion was that meta-data signed by [keys in the] WoT would be good
> enough.
>> there's no need to distribute a master key
> +1
>> key management is tricky
> Not that tricky.  Let's not make as if this isn't done routinely elsewhere.

>> this is where the complexity lies. IIRC it was quite tough to come up
>> with a user friendly trust model that worked correctly.
> Not so much, seeing as how you just agreed with CLR:
>> For example, "trust all unsigned", "trust all signed", "trust all signed
> in
>> Apache WOT" might be reasonable policies declared by the user.
IMHO these are all reasonable policies. But users are used to thinking
in black and white. They want software just to work.

>> we don't actually require that the artifacts are signed: just
>> meta-data about the artifacts
> What do you think a signature is in the first place?  It is a digitally
> encrypted hash, i.e., meta-data.
The idea is that you sign finely grained domain specific meta-data.
For example, I would not be willing to sign a key unless I've met the
owner F2F but I would be willing to sign meta-data linking a key to an
incubator project.


> 	--- Noel
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message