The problem with waiting until after we graduate is that we'll launch with an invalid cert signed by Todd, rather than a valid cert signed by the ASF. This won't leave a good first impression on anyone seeing Pivot for the first time.
You are probably right that gene...@incubator is probably not the right place for this discussion, but I think it is at least worth posting the question to the infra list. I'm guessing that most of the previous discussion around PKI focused on SSL, etc. - maybe it won't be as difficult to push a code signing cert. through. How are purchase decisions generally handled? Would someone on the infra list be able to approve something like this, or is there another list I should also post to? Thanks, Greg On Dec 6, 2009, at 11:45 PM, Niclas Hedhman wrote: > On Sun, Dec 6, 2009 at 9:33 PM, Greg Brown <[email protected]> wrote: >> Hello mentors, >> >> Back when Pivot first entered the Incubator, I had asked about the >> availability of an official Apache code signing certificate. Some of our >> demo and tutorial JARs are signed, but they currently use an unofficial (and >> expired) certificate Todd had created locally for testing purposes. This >> doesn't inspire quite as much confidence in the authenticity of the code as >> we would like. :-) >> >> The response at the time was that no such certificate currently exists. Once >> we graduate, do you know if it might be possible to request one? I believe >> these cost around $500 (US) - is the ASF likely to cover something like >> this, or do you think we would need to fund it ourselves? >> >> FWIW, I actually tried to get both Verisign and Thawte to contribute a >> certificate a few months back, and I didn't get a reply from either >> one...maybe I will try again after we graduate. Anyone have any contacts at >> either place? > > PKI is not something to toss around lightly (I am sure you are aware > of that), and the security conscious individuals at ASF have for long > ponder over how a PKI at ASF could/should look like. One thing that > was excluded was an ASF-wide cert available to "many". It has been > discussed to setup a system where infra "owned" a master cert, from > which they signed certs of "verified individual committers/officers". > The problem is/was that this has not been high on the agenda, since > for "releases" the PGP approach of "web of trust" has been considered > both sufficient and superior of centralized PKIs. > > My advice is to wait until after graduation and then approach > infra/board to bring up the usecase/need to see if this can be managed > to a level of satisfaction "within our lifetime" ;-) Bringing this to > [email protected] now will just be "messy" and lead to no > resolution. > > > Cheers > -- > Niclas Hedhman, Software Developer > http://www.qi4j.org - New Energy for Java > > I live here; http://tinyurl.com/2qq9er > I work here; http://tinyurl.com/2ymelc > I relax here; http://tinyurl.com/2cgsug
