incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis E. Hamilton" <>
Subject RE: key signing
Date Thu, 11 Oct 2012 01:29:00 GMT
There is value of the external signature for attesting something about the creation of the
artifact.  The digest simply demonstrates that the artifact is intact.

I've already agreed that the signing of other people's certificate is not that valuable in
the case of Apache releases.

Because of the security of Apache credentials, confirming a certificate is easy: Import the
certificate located on the Apache site into your favorite key (certificate) store.  Send an
encrypted message to the corresponding name@
Have the recipient send the decrypted message back to you encrypted with your public key (also
identified in the message, etc.)

If the recipient doesn't receive it or can't return the decrypted message, don't trust the
public key cert.  You can probably indicate the key is trusted by you, locally, if the exercise
succeeds.  You don't have to do a WoT signing though.

This is a pretty standard ceremony for an e-mail "non-persona."  

 - Dennis

-----Original Message-----
From: Greg Stein [] 
Sent: Wednesday, October 10, 2012 16:45
Subject: Re: key signing

I've read this entire thread (whew!), and would actually like to throw out
a contrary position:

No signed keys.

Consider: releases come from the ASF, not a person. The RM builds the
release artifacts and checks them into version control along with hash
"checksums". Other PMC members validate the artifacts for release criteria
and matching checksums, voting +1 via version control.

All of the above is done via authenticated ASF accounts. The above
establishes an ASF release.

Please explain how "keys" are needed for this ASF release? Consumers are
already told to verify the SHA1 and nothing more. I doubt any more is

(assume secure Infrastructure)

[ ... ]

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message