> But will the ASF sign a certificate we present to them? Do they need to? If you Ceki had, say, your own personal certificate (based on "[EMAIL PROTECTED]" or even "[EMAIL PROTECTED]", you can get these free that are valid within the standard certificate chain/authorities), you could sign the jars inside a distribution with this certificate, and Web start would not complain. The certificate just needs to be able to be verified via the standard trust chain.
The issue I think is whether the Apache foundation is comfortable with hosting a distribution that has been signed 'outside' the foundation. The problem is I can't see a way of them letting us sign with an Apache certificate for security reasons. Catch-22? > Without a certificate chain, you can actually sign with my > name, you can > even sign as "The President of the United States of America." But you can get a valid certificate from an authority based on your email address, and say a Drivers license from some providers, it's called a Personal Certificate. It allows you to verify that something has been signed by an 'email address' that has been verified and bound to and identity that can be traced. ie, my personal certificate is linked to my drivers license here in Australia, so the certificate authority can always use that as a method of tracking me down should I do something silly. > Do you know if the ASF have a certification policy? If it > does, then we > should follow it. If it doesn't, then we are left only with > bad alternatives. >From what I recall, there isn't any policy at all, maybe I am wrong. Perhaps I should take this up with something _other_ than infrastructure? It seems to be a foundation-wide issue. Should I use [EMAIL PROTECTED] and CC our General list on? Ceki, do you have any other recommendations as to who we should contact for further info? I am happy to take lead on this. cheers, Paul Smith --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
