incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis E. Hamilton" <>
Subject RE: key signing
Date Wed, 10 Oct 2012 17:07:45 GMT
Just for completeness for building an understanding what I have been capitalizing as the Apache
Trust Chain:

 1. There must also be understanding of the cert expiration and cert revocation cases.

 2. As a demonstration for how it all comes down to the Apache logon for committers, consider
the way that an SSH certificate is established for a account.  The initial
login is with the Apache Name/ID credentials and the password that goes with the account.
 Only then can the user upload an SSH certificate to the appropriate location for a certificate-based
SSH login.  I'm not suggesting that is a particular weakness (although folks provide a fair
amount of trust to their peers on  The point is that it also stems from
the foundation of the Apache Trust Chain.  And so do the authz record entries, of course.

-----Original Message-----
From: Dennis E. Hamilton [] 
Sent: Wednesday, October 10, 2012 09:28
Subject: RE: key signing

[ ... ]

I think the fundamental problems are that (1) this trust structure is not widely understood,
even among (new) committers, and (2) the process is opaque to external parties who might want
to know how an external signature earns ASF trust.  (I'm not certain that there are such folks,
apart from security wonks and vulnerability seekers, but that is no reason to avoid an understandable,
transparent account.)  

 - Dennis

PS: I do think one might want to threat-model the existing attack surface and see what can
be done there.  I am not sure it mitigates against malicious introduction of exploitable vulnerabilities,
presumably the real concern.  That requires examination of a much broader attack surface around
all the ways code can be injected and vulnerabilities passed undetected into an Apache release.
 There is a high level of trust placed in the processes used, and it has little to do with
the trustworthiness of digital certificates.

-----Original Message-----
From: Benson Margulies [] 
Sent: Wednesday, October 10, 2012 04:20
Subject: Re: key signing

I could argue that we'd be better-served with X.509 certs.
An Apache CA could be programmed to issue a cert to each committer.
Users would just verify the source CA, and we'd accomplish the goal of
giving users assurance.

[ ... ]

To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message