OK. Once the graduation is formally approved, I'll send a message to infra describing what we are looking for and see if they can help. I'd like to get a valid certificate in place before we launch, if at all possible.
Thanks, Greg On Dec 7, 2009, at 9:01 AM, Martijn Dashorst wrote: > AFAIK infra has enough karma to purchase small hardware, domains and > certificates. If they don't have enough they can escalate it to the > board to make sure it happens. > > Martijn > > On Mon, Dec 7, 2009 at 2:56 PM, Greg Brown <[email protected]> wrote: >> The problem with waiting until after we graduate is that we'll launch with >> an invalid cert signed by Todd, rather than a valid cert signed by the ASF. >> This won't leave a good first impression on anyone seeing Pivot for the >> first time. >> >> You are probably right that gene...@incubator is probably not the right >> place for this discussion, but I think it is at least worth posting the >> question to the infra list. I'm guessing that most of the previous >> discussion around PKI focused on SSL, etc. - maybe it won't be as difficult >> to push a code signing cert. through. >> >> How are purchase decisions generally handled? Would someone on the infra >> list be able to approve something like this, or is there another list I >> should also post to? >> >> Thanks, >> Greg >> >> On Dec 6, 2009, at 11:45 PM, Niclas Hedhman wrote: >> >>> On Sun, Dec 6, 2009 at 9:33 PM, Greg Brown <[email protected]> wrote: >>>> Hello mentors, >>>> >>>> Back when Pivot first entered the Incubator, I had asked about the >>>> availability of an official Apache code signing certificate. Some of our >>>> demo and tutorial JARs are signed, but they currently use an unofficial >>>> (and expired) certificate Todd had created locally for testing purposes. >>>> This doesn't inspire quite as much confidence in the authenticity of the >>>> code as we would like. :-) >>>> >>>> The response at the time was that no such certificate currently exists. >>>> Once we graduate, do you know if it might be possible to request one? I >>>> believe these cost around $500 (US) - is the ASF likely to cover something >>>> like this, or do you think we would need to fund it ourselves? >>>> >>>> FWIW, I actually tried to get both Verisign and Thawte to contribute a >>>> certificate a few months back, and I didn't get a reply from either >>>> one...maybe I will try again after we graduate. Anyone have any contacts >>>> at either place? >>> >>> PKI is not something to toss around lightly (I am sure you are aware >>> of that), and the security conscious individuals at ASF have for long >>> ponder over how a PKI at ASF could/should look like. One thing that >>> was excluded was an ASF-wide cert available to "many". It has been >>> discussed to setup a system where infra "owned" a master cert, from >>> which they signed certs of "verified individual committers/officers". >>> The problem is/was that this has not been high on the agenda, since >>> for "releases" the PGP approach of "web of trust" has been considered >>> both sufficient and superior of centralized PKIs. >>> >>> My advice is to wait until after graduation and then approach >>> infra/board to bring up the usecase/need to see if this can be managed >>> to a level of satisfaction "within our lifetime" ;-) Bringing this to >>> [email protected] now will just be "messy" and lead to no >>> resolution. >>> >>> >>> Cheers >>> -- >>> Niclas Hedhman, Software Developer >>> http://www.qi4j.org - New Energy for Java >>> >>> I live here; http://tinyurl.com/2qq9er >>> I work here; http://tinyurl.com/2ymelc >>> I relax here; http://tinyurl.com/2cgsug >> >> > > > > -- > Become a Wicket expert, learn from the best: http://wicketinaction.com > Apache Wicket 1.4 increases type safety for web applications > Get it now: http://www.apache.org/dyn/closer.cgi/wicket/1.4.0
