DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=15622>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=15622 serve KEYS by means of https with a certificate issued by a CA that is built-in with the most popular browsers/mail clients [EMAIL PROTECTED] changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|Normal |Enhancement ------- Additional Comments From [EMAIL PROTECTED] 2003-02-17 07:10 ------- I am happy to donate the ~$50 to get a certificate from e.g. http://www.comodogroup.com/products/certificate_services/index.html Where and how would I donate? (the "support..." link appears to be dead - see http://nagoya.apache.org/bugzilla/show_bug.cgi?id=17115). I see http://www.apache.org/foundation/contributing.html#how-to-donate, but how would I ensure that it is used for the very purpose of this bug/enhancement? I could send the money to you personally through paypal or ask friend of mine at Irvine to give it to you in cash? Maybe you are right, it could be classified as an enhancement rather than a bug. Sure, pgp signing parties are a good thing, but it is still more than astonishing that Ben and Ralf (the mod_ssl key persons as mentioned in http://httpd.apache.org/docs-2.0/mod/mod_ssl.html) never made it to one of those and even yourself only got Aaron to sign your key. AFAIK, out-of-band channels (e.g. calling Engelschall by phone in Munich) are another legitimate option to establish trust. I would even go one step further and suggest that in http://www.apache.org/dist/httpd/KEYS, out-of-band approaches should be described just to verify the signers' fingerprints (with no expectation of subsequent cross-signing) for arbitrary apache downloading users. Sure, you might argue that you don't want to sit on the phone 7x24 repeating your fingerprint, but I contend that security awareness and knowledge among users unfortunately is such that the phone would only ring very rarely! Even setting up an answering machine somewhere that just reads down the list of PGP fingerprints is IMHO better than the status quo. Shall I open an new RFE for this? Hoping that all the above qualifies for a "Reopen" of this enhancement request. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
