On Sun, Dec 6, 2009 at 9:33 PM, Greg Brown <[email protected]> wrote: > Hello mentors, > > Back when Pivot first entered the Incubator, I had asked about the > availability of an official Apache code signing certificate. Some of our demo > and tutorial JARs are signed, but they currently use an unofficial (and > expired) certificate Todd had created locally for testing purposes. This > doesn't inspire quite as much confidence in the authenticity of the code as > we would like. :-) > > The response at the time was that no such certificate currently exists. Once > we graduate, do you know if it might be possible to request one? I believe > these cost around $500 (US) - is the ASF likely to cover something like this, > or do you think we would need to fund it ourselves? > > FWIW, I actually tried to get both Verisign and Thawte to contribute a > certificate a few months back, and I didn't get a reply from either > one...maybe I will try again after we graduate. Anyone have any contacts at > either place?
PKI is not something to toss around lightly (I am sure you are aware of that), and the security conscious individuals at ASF have for long ponder over how a PKI at ASF could/should look like. One thing that was excluded was an ASF-wide cert available to "many". It has been discussed to setup a system where infra "owned" a master cert, from which they signed certs of "verified individual committers/officers". The problem is/was that this has not been high on the agenda, since for "releases" the PGP approach of "web of trust" has been considered both sufficient and superior of centralized PKIs. My advice is to wait until after graduation and then approach infra/board to bring up the usecase/need to see if this can be managed to a level of satisfaction "within our lifetime" ;-) Bringing this to [email protected] now will just be "messy" and lead to no resolution. Cheers -- Niclas Hedhman, Software Developer http://www.qi4j.org - New Energy for Java I live here; http://tinyurl.com/2qq9er I work here; http://tinyurl.com/2ymelc I relax here; http://tinyurl.com/2cgsug
