RE: establish a trust relationship (Re: missing signatures)

2003-09-24 Thread Sander Striker 
Dude,
(B
(BHow are we supposed to read this?
(B
(BSander 'a bit behind on his japanese'
(B
(B> -Original Message-
(B> From: Tetsuya Kitahata [mailto:[EMAIL PROTECTED]
(B> Sent: Wednesday, September 24, 2003 11:16 PM
(B> To: Joshua Slive
(B> Cc: Henk P. Penning; [EMAIL PROTECTED]; community@apache.org
(B> Subject: establish a trust relationship (Re: missing signatures)
(B
(B<.. reply in japanese ..>
(B
(B-
(BTo unsubscribe, e-mail: [EMAIL PROTECTED]
(BFor additional commands, e-mail: [EMAIL PROTECTED]

Re: establish a trust relationship (Re: missing signatures)

2003-09-24 Thread Sander Temme 
> Dude,
> 
> How are we supposed to read this?
> 
> Sander 'a bit behind on his japanese'

Testuya's original message is plain enough:

> MIME-Version: 1.0
> Content-Type: text/plain; charset="ISO-2022-JP"
> Content-Transfer-Encoding: 7bit

it's just that my Mailer, and apparently yours, choose not to deal with this
charset. The text is readable enough if I 'view source'.

Maybe Tetsuya should tweak the charset of his English-language mails. (:

S.

-- 
[EMAIL PROTECTED]  http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: establish a trust relationship (Re: missing signatures)

2003-09-24 Thread Tetsuya Kitahata 


On Wed, 24 Sep 2003 14:37:35 -0700
(Subject: Re: establish a trust relationship (Re: missing signatures))
Sander Temme <[EMAIL PROTECTED]> wrote:

> > Dude,
> > 
> > How are we supposed to read this?
> > 
> > Sander 'a bit behind on his japanese'
> 
> Testuya's original message is plain enough:
> 
> > MIME-Version: 1.0
> > Content-Type: text/plain; charset="ISO-2022-JP"
> > Content-Transfer-Encoding: 7bit
> 
> it's just that my Mailer, and apparently yours, choose not to deal with this
> charset. The text is readable enough if I 'view source'.
> 
> Maybe Tetsuya should tweak the charset of his English-language mails. (:

No. The root of the "evil" was the original mail (From Joshua),
to tell the truth.

I am using "US-ASCII" by default settings and most of my mails
are encoded by "US-ASCII". (You can check by grepping the mail archives)

Joshua's original mail: "(Est (heure d'.." part (Date: HeaderLine)
trapped and transformed into japanese. (and garbled)
So, my mail client recognized that my mail was written in japanese
and had put 'charset="ISO-2022-JP"' headerline.

Mails from those who always use "special characters" (umlaut etc.) 
would cause errors and troubles. However, I do not blame them 
as a matter of course.

__ Tetsuya <[EMAIL PROTECTED]> __



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: establish a trust relationship (Re: missing signatures)

2003-09-24 Thread Joshua Slive 

On Thu, 25 Sep 2003, Tetsuya Kitahata wrote:
> Ahhh. Now, there are no *ASF members* in Japan (Maybe, this goes for
> other Asian countries), so the things can be easily inconsistent.
> # The only *Japanese-native* fellow (and ASF member) is now in the USA,
> # I've heard.
>
> In such a situation, we can not build "establish a trust relationship"
> using telephone or meeting in private (in japan) with ASF members.
> As a result, the "chain of trust" can not be established and as a
> matter of course, people in apache.org would never know "who is tetsuya"
> forever. :-) Also, as a matter of course, high-leveled trust with
> committers and members would not be able to be established forever.

A chain of trust can have more than one link.  Assuming there is someone
in Japan who has once been to a country with an ASF member, geography need
not be a barrier.

Not that I want to defend PGP.  I think it is overkill for most
situations.  But it is a good option to provide for those who need it.

Joshua.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: establish a trust relationship (Re: missing signatures)

2003-09-24 Thread Noel J. Bergman 
> Ahhh. Now, there are no *ASF members* in Japan (Maybe, this goes for
> other Asian countries), so the things can be easily inconsistent.

There are other ASF Committers in Japan.  Lief Mortenson, for example, the
author of the Java Wrapper and frequent Avalon contributor.

I assume that you are referring to geographic location, and not
ethnic/national origin, given the context of your comment.

I don't have another ASF anyone living within 100s of miles of me, as far as
I know.  Ironically (considering that he lives in Australia), Dion Gillard
and I will see each other in a few weeks, so we could sign each other's
keys.

--- Noel


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: establish a trust relationship (Re: missing signatures)

2003-09-24 Thread Tetsuya Kitahata 

On Wed, 24 Sep 2003 18:45:41 -0400
(Subject: RE: establish a trust relationship (Re: missing signatures))
"Noel J. Bergman" <[EMAIL PROTECTED]> wrote:

> > Ahhh. Now, there are no *ASF members* in Japan (Maybe, this goes for
> > other Asian countries), so the things can be easily inconsistent.
> There are other ASF Committers in Japan.  Lief Mortenson, for example, the
> author of the Java Wrapper and frequent Avalon contributor.

Aha. I've forgot that!

Great! My friend is now in Tokyo (and english-native), so they
(Ja"V"a-nese) can talk with each other!

Banzai! Tanuki-Software! :)

__ Tetsuya <[EMAIL PROTECTED]> __

P.S. However, still I can not build relationship
with asf *members* ... dohhh...



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: establish a trust relationship (Re: missing signatures)

2003-09-24 Thread Sander Temme 
> P.S. However, still I can not build relationship
> with asf *members* ... dohhh...

But you can do that via-via. That's what the 'web of trust' is all about.

S.

-- 
[EMAIL PROTECTED]  http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: establish a trust relationship (Re: missing signatures)

2003-09-24 Thread Justin Erenkrantz 
--On Thursday, September 25, 2003 07:58:50 +0900 Tetsuya Kitahata 
<[EMAIL PROTECTED]> wrote:

P.S. However, still I can not build relationship
with asf *members* ... dohhh...
I know Pier and Brian have been known to travel to Japan (for pleasure and 
business).  I'm sure others go to Japan periodically.

I rarely, if ever, see any ASF members any more.  Only at conferences and 
such.  We're a virtual organization.  The way you build relationships in 
this community is through interactions on mailing lists and contributions. 
There isn't any other way, really.  That's why ApacheCon is so crucial. 
And, why we need to have European AC's too.  -- justin

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: establish a trust relationship (Re: missing signatures)

2003-09-24 Thread Tetsuya Kitahata 

On Wed, 24 Sep 2003 16:05:25 -0700
Sander Temme <[EMAIL PROTECTED]> wrote:

> > P.S. However, still I can not build relationship
> > with asf *members* ... dohhh...
> But you can do that via-via. That's what the 'web of trust' is all about.

Oh, great! ... if this mailing list or somewhere (and ApacheCON itself)
can be one of the "resource"s of the "web of trust", it would be
wonderful!

__ Tetsuya <[EMAIL PROTECTED]> __



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: establish a trust relationship (Re: missing signatures)

2003-09-24 Thread Stephen McConnell 

Noel J. Bergman wrote:
Ahhh. Now, there are no *ASF members* in Japan (Maybe, this goes for
other Asian countries), so the things can be easily inconsistent.
   

There are other ASF Committers in Japan.  Lief Mortenson, for example, the
author of the Java Wrapper and frequent Avalon contributor.
I assume that you are referring to geographic location, and not
ethnic/national origin, given the context of your comment.
would that be an aggragate conext or a  meta context?
(you know - this is important)
--
Stephen J. McConnell
mailto:[EMAIL PROTECTED]

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: establish a trust relationship (Re: missing signatures)

2003-09-25 Thread Tetsuya Kitahata 

On Wed, 24 Sep 2003 16:08:55 -0700
Justin Erenkrantz <[EMAIL PROTECTED]> wrote:

> > P.S. However, still I can not build relationship
> > with asf *members* ... dohhh...
> I know Pier and Brian have been known to travel to Japan (for
> pleasure and business).  I'm sure others go to Japan periodically.

I've heard that Pier will come to Japan in October. (I could not catch
up with him @ the last travel of his, in July, though)

Please feel free to ping me at [EMAIL PROTECTED] mailing list :) >> all

> I rarely, if ever, see any ASF members any more.  Only at conferences
> and such.  We're a virtual organization.  The way you build
> relationships in this community is through interactions on mailing
> lists and contributions. There isn't any other way, really.  That's
> why ApacheCon is so crucial. 

Really understandable. Thank you for the detailed and comprehensible
explanations.

Now, I can completely understand why ApacheCon is very important for
not only the members but also for the committers. Probably,
this event would be more important for the current (and upcoming)
committers. I am now absolutely in favour (from my sincere heart)
of the success of the ApacheCON. Unfortunately, I will not be able
to participate in that wonderful event, however, please let me know
if there would be still rooms of the contribution to the success
of that event.

> And, why we need to have European AC's too.  -- justin

Make sense. Quite make sense.

One day, the Asian AC (Beijing or Seoul would
be better than Tokyo) will be held , too. I do hope.

--

As far as I can see from
http://www.apache.org/~sgala/map.html
(Apache Community Worldwide: thanx to Santiago and Dirk),
there are few committers in Asia, Pacific, South America
and Africa. Of course, there could be some of the "ratio
of the well-educated population" issues, etc. I can guess, however,
"North America and Europe" (heavily) weighed community
would be not so much healthy.

I am sure that "establish a trust relationship" would be
one of the "KEYS" of the internationalization 
in the ASF community.

I am awaiting any suggestions, constructive opinions for
the internationalization of the ASF and about how to
"establish a trust relationship", from you all.


Out of respect for the ASF,

Regards,


__ Tetsuya <[EMAIL PROTECTED]> __



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: establish a trust relationship (Re: missing signatures)

2003-09-25 Thread Dirk-Willem van Gulik 


On Thu, 25 Sep 2003, Adrian Sutton wrote:

> > http://www.apache.org/~sgala/map.html

or http://www.apache.org/~dirkx/sgala.html - whcih is a bit more dyanmic.

> Just wondering, where does the data for that image come from?  I note that
> there's no committer listed for Brisbane and yet here I am, apparently very
> lonely in the Sunshine State. :)

Just make sure you have an 'ICBM' coordinate in the (home) page you list
in the committers/krell repository - file urls.txt - and you should be on
the map some 3-6 hours later (I only do a cvs update ever so often - it is
not (yet) push based).

Dw

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: establish a trust relationship (Re: missing signatures)

2003-09-25 Thread Adrian Sutton 
> As far as I can see from
> http://www.apache.org/~sgala/map.html
> (Apache Community Worldwide: thanx to Santiago and Dirk),
> there are few committers in Asia, Pacific, South America
> and Africa. Of course, there could be some of the "ratio
> of the well-educated population" issues, etc. I can guess, however,
> "North America and Europe" (heavily) weighed community
> would be not so much healthy.

Just wondering, where does the data for that image come from?  I note that
there's no committer listed for Brisbane and yet here I am, apparently very
lonely in the Sunshine State. :)

> I am sure that "establish a trust relationship" would be
> one of the "KEYS" of the internationalization
> in the ASF community.

I'm not sure I see a huge benefit to a trust relationship other than the
fact that it would encourage committers to meet in real life a little more
which improves community and often helps understanding between developers.
That in itself is a good thing.  The added security and reliability (trust)
is also a good thing I suppose.

> __ Tetsuya <[EMAIL PROTECTED]> __


Regards,

Adrian Sutton.

--
Intencha "tomorrow's technology today"
Ph: 38478913 0422236329
Suite 8/29 Oatland Crescent
Holland Park West 4121
Australia QLD
www.intencha.com


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: establish a trust relationship (Re: missing signatures)

2003-09-26 Thread Ask Bjoern Hansen 
On Wed, 24 Sep 2003, Joshua Slive wrote:

> A chain of trust can have more than one link.  Assuming there is someone
> in Japan who has once been to a country with an ASF member, geography need
> not be a barrier.

Eh, there are many other reasonable ways to establish a chain of
trust than a personal meeting.  In some contexts they might even be
superior.

Some combination of the following would be as hard to attack as
pretending to be someone else in a personal meeting:

I mostly know you as the guy who sends mail from [EMAIL PROTECTED]
You send me your key signature from that address; I respond with a
token and you send the token back.  Maybe afterwards I wait a month
or two and follow your use of that email address.  If you keep
sending useful patches to similar things as you've done in the past,
that's a good indication.

We have postal addresses of ASF members on file.  Tokens and key
signatures can be sent back and forth via postal mail.

Likewise for telephone numbers; figuring out a time to make two
calls across the world should be feasible.

Some people include their key signature in all their mails.


 - ask

-- 
http://www.askbjoernhansen.com/ - http://develooper.com/



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: establish a trust relationship (Re: missing signatures)

2003-09-26 Thread Tetsuya Kitahata 

On Thu, 25 Sep 2003 22:07:16 -0700 (PDT)
(Subject: Re: establish a trust relationship (Re: missing signatures))
Ask Bjoern Hansen <[EMAIL PROTECTED]> wrote:

> > A chain of trust can have more than one link.  Assuming there is someone
> > in Japan who has once been to a country with an ASF member, geography need
> > not be a barrier.
> 
> Eh, there are many other reasonable ways to establish a chain of
> trust than a personal meeting.  In some contexts they might even be
> superior.
> 
> Some combination of the following would be as hard to attack as
> pretending to be someone else in a personal meeting:
> 
> I mostly know you as the guy who sends mail from [EMAIL PROTECTED]
> You send me your key signature from that address; I respond with a
> token and you send the token back.  Maybe afterwards I wait a month
> or two and follow your use of that email address.  If you keep
> sending useful patches to similar things as you've done in the past,
> that's a good indication.
> 
> We have postal addresses of ASF members on file.  Tokens and key
> signatures can be sent back and forth via postal mail.

Ahh. Maybe, the best way would be the establishment of the *trust chain*
between "[EMAIL PROTECTED]" (or equivalent one) and each
committers/members ... ?!

If there are volunteers (in the United States) who manage the KEYS of
each committers, it would be realistic and really make sense.

--

As far as postal address is concerned, the ASF already has all the 
*NEW* committers' real addresses , I guess (Since we had to
sign the singature to CLA and write real address, as far as
I could see).

--

I am not a member of the ASF, so I can not handle (no
privs of the determination of the *usage* of money)
how to use the fund of the Foundation. However, I think
I would be very glad if some of the Fund will be made full use of
in the "establish a trust relationship" of each committers/members
and developers.

Thank you for reading.

__ Tetsuya <[EMAIL PROTECTED]> __

P.S. "committers" module would give us the breakthrough in it!?



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: establish a trust relationship (Re: missing signatures)

2003-12-01 Thread Santiago Gala 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- -BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
El viernes, 26 sept, 2003, a las 07:07 Europe/Madrid, Ask Bjoern Hansen 
escribió:

Likewise for telephone numbers; figuring out a time to make two
calls across the world should be feasible.
For those able to receive/send SMS (text messages), they can be used to 
send or receive key fingerprints, in a very effective and safe back 
channel for identity validation.

I have used SMS quite a few times to send passwords after the account 
setup information had been sent by email.
You can sue the telephone provider if the password is leaked, at least 
in theory. :-P

Some people include their key signature in all their mails.

I'm beginning to sign all my mails, since security is becoming a key 
issue for all Open Source, and signing of communications/releases seems 
to be crucial.

Regards,
 Santiago
P.S.) I know it is a very late answer, I found the thread while making 
a search for stuff on Apache Trust chain.
- -BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.3 (Darwin)

iD8DBQE/y3DmZAeG2a2/nhoRAsa+AKCyZzjp63NyKcoDun84ZfTGTHP37QCgtqwz
rztlV7U/oqbub75bLnSPM6I=
=1Qf0
- -END PGP SIGNATURE-
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.3 (Darwin)
iD8DBQE/y3EBMGY6e0B83Y0RAmgvAJ9JUFeHnssBH3MPlgtVeizoGJLU3ACgnIVU
HakG4GuDFSS6K5ELyGT2xRo=
=pRoN
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: establish a trust relationship (Re: missing signatures)

2003-12-01 Thread Lars Eilebrecht 
According to Santiago Gala:

> For those able to receive/send SMS (text messages), they can be used to 
> send or receive key fingerprints, in a very effective and safe back 
> channel for identity validation.

Err, I wouldn't call SMS (or GSM) a 'safe' communication media.

[...]
> I'm beginning to sign all my mails, since security is becoming a key 
> issue for all Open Source, and signing of communications/releases seems 
> to be crucial.

BTW, you may want to cross-sign your two PGP keys. The one you
used to sign your message is not the one you gave to people at
ApacheCon for signing.

ciao...
-- 
Lars Eilebrecht  - Confidence is the feeling you sometimes have
[EMAIL PROTECTED]- before you fully understand the situation.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: establish a trust relationship (Re: missing signatures)

2003-12-07 Thread Santiago Gala 
El lunes, 1 dici, 2003, a las 18:10 Europe/Madrid, Lars Eilebrecht 
escribió:

According to Santiago Gala:
For those able to receive/send SMS (text messages), they can be used 
to
send or receive key fingerprints, in a very effective and safe back
channel for identity validation.
Err, I wouldn't call SMS (or GSM) a 'safe' communication media.
Sorry, I tend to be imprecise. 'Safe' here was meant in the sense of 
identity cross reference, i.e. resilient to impersonation. (In my 
example, fingerprints are public info, so no confidentiality is 
actually needed)

The idea it that if a person is using a phone number that appears in 
telephone directories as Santiago's to answer a challenge (send me your 
key fingerprint by SMS...) in a timely manner, it reinforces trust in 
this person identity as Santiago when taken in addition to email.

Not in crypto terms. I tend to be imprecise, sorry.
[...]
I'm beginning to sign all my mails, since security is becoming a key
issue for all Open Source, and signing of communications/releases 
seems
to be crucial.
BTW, you may want to cross-sign your two PGP keys. The one you
used to sign your message is not the one you gave to people at
ApacheCon for signing.
They are cross signed, I forgot to upload the signed version. Thanks 
for the reminder.

Regards,
Santiago
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]