incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Kew <>
Subject Re: Key security (Re: KEYS and releases)
Date Tue, 28 Jun 2011 13:13:51 GMT

On 28 Jun 2011, at 13:22, Benson Margulies wrote:

> There's another possible dimension to this, which is related to the
> 'Apache Key' suggestion.
> The current mechanism gives a\ sophisticated/ consumer tools to get
> some confidence that what they downloaded was, in fact, created by
> someone in the Apache infrastructure.

Agreed.  My thoughts were about improving that.  Ideally it might also
lead the way to improved tools that'll serve a much wider audience.
For example, checks that could be built into package managers.

> If a dozen black hats create PGP keys that purport to belong to
> various Apache committers, and sign each others keys, and publish them
> to a key server, they could create confusion, restrained (if I have
> this right) by KEYS on APache's own server.

Indeed.  Though I'd've thought the most useful safeguard against that
is when the real committers - or anyone else whose WoT includes their
keys - verifies a signature, and finds an unexpected failure to verify.
Then the publicity where users will see it.

> What if the ASF stored keys, and offered a web page into which you
> could post a key and get back either "(check) signed by a committer of
> Apache foo, bar, and baz" or "(big red x) not a signature we
> recognize". That seems more useful to me than an Apache global key.

Every little helps, but I don't see that adds much to existing KEYS
(which you can, after all, search for whatever string you'd enter
into the form).  If KEYS is guaranteed 100% secure then we're safe, 
but what I'm thinking of is additional safeguards against the danger
of someone smuggling in bogus keys purporting to be ours.

As of now, how would you know if I were to smuggle in a key
pretending to be yours and start signing things?

Nick Kew

Available for work, contract or permanent

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message