On 15 Jul 2004, at 21:31, Noel J. Bergman wrote:
I tend to disagree with your assertion that PGP signtures are less important than MD5 signatures. But then again, given how badly connected the PGP keys used to sign most Jakarta releases are, you are probably correct. A signature by a key that hasn't been signed by anybody else isn't much better than a MD5 hash.
Perhaps, but PGP signatures are better, and there are things happen to improve the ASF WoT, such as our own CA server.
PGP signature and md5 sums are both important.
but IMO signatures are more important (than md5 sums) for the ASF and less important for users. md5 sums are quick and easy to understand. they can be checked without installing and configuring complex software on most platforms. the results are clear. signatures (on the other hand) require the installation and configuration of sophisticated software. a level of understanding of the concepts is required before signatures can be verified effectively. (judging from personal emails to me from users) unless users are already familiar and comfortable with PGP signatures, they are far more likely to successful check a md5 sum on a download than a signature. so, i'd say that MD5 sums are the technology we should be pushing.
what would be useful is a list of fingerprints for code signing keys on the website. it would also give an extra independent security layer.
- robert
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
