date:20160728

RE: Code signing and WOT for releases

2016-07-28 Thread Martin Gainty



> From: orc...@apache.org
> To: general@incubator.apache.org
> Subject: RE: Code signing and WOT for releases
> Date: Thu, 28 Jul 2016 10:05:05 -0700
> 
> 
> 
> > -Original Message-
> > From: Martin Gainty [mailto:mgai...@hotmail.com]
> > Sent: Thursday, July 28, 2016 05:13
> > To: general@incubator.apache.org
> > Subject: RE: Code signing and WOT for releases
> > 
> > 4) how to find a public key certificate matching the ID in the signature
> > and how to check that the private key is asserted to be in the
> > possession of the person controlling orc...@apache.org[orcmid]  if you are 
> > *not*
> > using assertions how would this be accomplished?
> [orcmid] 

> That's correct, there is no technical assertion mechanism in OpenPGP.  I 
> should not have used that term.
MG>apologies from my end but the build engineer in me wants to see if all these 
steps can be automated
> 
> What constitutes the equivalent of an *attestation* in WOT is the 
> counter-signing of a public key by another.  That is taken as an attestation 
> that an identified individual claimed authority over the private key by 
> virtue of the fingerprint, the User ID, and in-person confirmation of 
> identification.
> 
> In the case of controlling orcmid@ apache.org, the evidence is that the 
> person having control of that account (Apache Committer ID orcmid) placed the 
> fingerprint in his private account record and the system retrieved the key 
> with that fingerprint and placed it at 
> . 
mg>these are covered by gpg plugin attributes for maven @ 
http://maven.apache.org/plugins/maven-gpg-plugin/sign-mojo.html
 That is retrieval from Internet key servers periodically and will reflect any 
counter-signing by others as well as any revocation.
mg> unfortunately in my builds CRL attestations are handled by a JSSE code 
(assuming an non-self-signed X509 cert does exist) > There's more to be 
said about that particular certificate, and other attestations that apply to 
it, but we can stop here unless you are curious about that.
MG>yes I would
> 
>  - Dennis
> 
> > 
MG> Thanks Dennis,
MG> Martin
> > __
> > 
> > 
> > 
> > > From: dennis.hamil...@acm.org
> > > To: general@incubator.apache.org
> > > Subject: RE: Code signing and WOT for releases
> > > Date: Wed, 27 Jul 2016 10:01:59 -0700
> > >
> > >
> > > > -Original Message-
> > > > From: Martin Gainty [mailto:mgai...@hotmail.com]
> > > > Sent: Wednesday, July 27, 2016 08:06
> > > > To: general@incubator.apache.org
> > > > Subject: RE: Code signing and WOT for releases
> > > >
> > > >
> > > >
> > > > > From: dennis.hamil...@acm.org
> > > > > To: general@incubator.apache.org
> > > > > Subject: RE: Code signing and WOT for releases
> > > > > Date: Tue, 26 Jul 2016 10:33:13 -0700
> > > > > [ ... ] Yesterday, I received an email from one of the users who
> > > > received a security advisory message that I signed.  The user's mail
> > > > reader reported that the signature was untrusted (no surprise) and
> > that
> > > > the signature was BAD.  Since the mail reader shows the stripped
> > > > message, and it looks perfectly fine, there is no way to help
> > analyze
> > > > that from my end.
> > > > >
> > > > > What I did do was (1) verify the message that was sent to me from
> > the
> > > > list and (2) verify the message in the list archive.  I then (3)
> > advised
> > > > the recipient what I did and also (4) how to find a public key
> > > > certificate matching the ID in the signature and how to check that
> > the
> > > > private key is asserted to be in the possession of the person
> > > > controlling orc...@apache.org and how the individual having control
> > of
> > > > that email address is associated with the ASF.
> > > >
> > > > MG>can we assume the key was converted to PKCS8 before asserting the
> > > > key?
> > > > http://stackoverflow.com/questions/5230942/how-to-read-a-private-
> > key-
> > > > for-use-with-opensaml
> > > >
> > > > MG>and then built new SignatureBuilder().buildObject() Signature
> > with
> > > > key locations before assigning
> > > > assertion.setSignature(___)?http://www.programcreek.com/java-api-
> > > > examples/index.php?api=org.opensaml.xml.signature.Signature
> > > >
> > > > MG>/thanks dennis/
> > > [orcmid]
> > >
> > > This signing had nothing to do with MIME-signatures or SSL.  It is a
> > plaintext message that has a "clearsign" OpenPGP signed section in-line
> > in the message body.  (The signed part was created first and then pasted
> > into the plaintext email.)  You can see the archived form at
> > >  > announce/201607.mbox/browser> where it is the only message there. At the
> > bottom of the HTML-formatted display of the message, select the "Unnamed
> > text/plain" link to see a cleaner plaintext.
> > >
> > > This is not unlike the .asc files that can be made as external PGP
> >

RE: Code signing and WOT for releases

2016-07-28 Thread Dennis E. Hamilton



> -Original Message-
> From: Martin Gainty [mailto:mgai...@hotmail.com]
> Sent: Thursday, July 28, 2016 05:13
> To: general@incubator.apache.org
> Subject: RE: Code signing and WOT for releases
> 
> 4) how to find a public key certificate matching the ID in the signature
> and how to check that the private key is asserted to be in the
> possession of the person controlling orc...@apache.org[orcmid]  if you are 
> *not*
> using assertions how would this be accomplished?
[orcmid] 

That's correct, there is no technical assertion mechanism in OpenPGP.  I should 
not have used that term.

What constitutes the equivalent of an *attestation* in WOT is the 
counter-signing of a public key by another.  That is taken as an attestation 
that an identified individual claimed authority over the private key by virtue 
of the fingerprint, the User ID, and in-person confirmation of identification.

In the case of controlling orcmid@ apache.org, the evidence is that the person 
having control of that account (Apache Committer ID orcmid) placed the 
fingerprint in his private account record and the system retrieved the key with 
that fingerprint and placed it at 
.  That is retrieval from 
Internet key servers periodically and will reflect any counter-signing by 
others as well as any revocation.

There's more to be said about that particular certificate, and other 
attestations that apply to it, but we can stop here unless you are curious 
about that.

 - Dennis

> 
> Regards
> Martin
> __
> 
> 
> 
> > From: dennis.hamil...@acm.org
> > To: general@incubator.apache.org
> > Subject: RE: Code signing and WOT for releases
> > Date: Wed, 27 Jul 2016 10:01:59 -0700
> >
> >
> > > -Original Message-
> > > From: Martin Gainty [mailto:mgai...@hotmail.com]
> > > Sent: Wednesday, July 27, 2016 08:06
> > > To: general@incubator.apache.org
> > > Subject: RE: Code signing and WOT for releases
> > >
> > >
> > >
> > > > From: dennis.hamil...@acm.org
> > > > To: general@incubator.apache.org
> > > > Subject: RE: Code signing and WOT for releases
> > > > Date: Tue, 26 Jul 2016 10:33:13 -0700
> > > > [ ... ] Yesterday, I received an email from one of the users who
> > > received a security advisory message that I signed.  The user's mail
> > > reader reported that the signature was untrusted (no surprise) and
> that
> > > the signature was BAD.  Since the mail reader shows the stripped
> > > message, and it looks perfectly fine, there is no way to help
> analyze
> > > that from my end.
> > > >
> > > > What I did do was (1) verify the message that was sent to me from
> the
> > > list and (2) verify the message in the list archive.  I then (3)
> advised
> > > the recipient what I did and also (4) how to find a public key
> > > certificate matching the ID in the signature and how to check that
> the
> > > private key is asserted to be in the possession of the person
> > > controlling orc...@apache.org and how the individual having control
> of
> > > that email address is associated with the ASF.
> > >
> > > MG>can we assume the key was converted to PKCS8 before asserting the
> > > key?
> > > http://stackoverflow.com/questions/5230942/how-to-read-a-private-
> key-
> > > for-use-with-opensaml
> > >
> > > MG>and then built new SignatureBuilder().buildObject() Signature
> with
> > > key locations before assigning
> > > assertion.setSignature(___)?http://www.programcreek.com/java-api-
> > > examples/index.php?api=org.opensaml.xml.signature.Signature
> > >
> > > MG>/thanks dennis/
> > [orcmid]
> >
> > This signing had nothing to do with MIME-signatures or SSL.  It is a
> plaintext message that has a "clearsign" OpenPGP signed section in-line
> in the message body.  (The signed part was created first and then pasted
> into the plaintext email.)  You can see the archived form at
> >  announce/201607.mbox/browser> where it is the only message there. At the
> bottom of the HTML-formatted display of the message, select the "Unnamed
> text/plain" link to see a cleaner plaintext.
> >
> > This is not unlike the .asc files that can be made as external PGP
> signatures of code, except it is inline instead of external to the file
> being signed.
> >
> > > >
> > > > (I made another check of the archived message too.  The raw form
> of
> > > the message fails to verify when downloaded and that appears to be
> on
> > > account of some encoding features that have to be processed properly
> for
> > > the original text to be reconstituted properly. That might or might
> not
> > > be relevant to how that recipient's email reader handles PGP
> > > > signatures.)
> > [orcmid]
> >
> > (If you look at the raw version on the archive, you will see a pile of
> =20 line endings that make the raw form unverifiable.  And because the
> signature block has a line ending in =, there is an appended raw "3D"
> that

RE: Code signing and WOT for releases

2016-07-28 Thread Martin Gainty

4) how to find a public key certificate matching the ID in the signature and 
how to check that the private key is asserted to be in the possession of the 
person controlling orcmid@apache.orgif you are *not* using assertions how would 
this be accomplished?

Regards
Martin 
__ 



> From: dennis.hamil...@acm.org
> To: general@incubator.apache.org
> Subject: RE: Code signing and WOT for releases
> Date: Wed, 27 Jul 2016 10:01:59 -0700
> 
> 
> > -Original Message-
> > From: Martin Gainty [mailto:mgai...@hotmail.com]
> > Sent: Wednesday, July 27, 2016 08:06
> > To: general@incubator.apache.org
> > Subject: RE: Code signing and WOT for releases
> > 
> > 
> > 
> > > From: dennis.hamil...@acm.org
> > > To: general@incubator.apache.org
> > > Subject: RE: Code signing and WOT for releases
> > > Date: Tue, 26 Jul 2016 10:33:13 -0700
> > > [ ... ] Yesterday, I received an email from one of the users who
> > received a security advisory message that I signed.  The user's mail
> > reader reported that the signature was untrusted (no surprise) and that
> > the signature was BAD.  Since the mail reader shows the stripped
> > message, and it looks perfectly fine, there is no way to help analyze
> > that from my end.
> > >
> > > What I did do was (1) verify the message that was sent to me from the
> > list and (2) verify the message in the list archive.  I then (3) advised
> > the recipient what I did and also (4) how to find a public key
> > certificate matching the ID in the signature and how to check that the
> > private key is asserted to be in the possession of the person
> > controlling orc...@apache.org and how the individual having control of
> > that email address is associated with the ASF.
> > 
> > MG>can we assume the key was converted to PKCS8 before asserting the
> > key?
> > http://stackoverflow.com/questions/5230942/how-to-read-a-private-key-
> > for-use-with-opensaml
> > 
> > MG>and then built new SignatureBuilder().buildObject() Signature with
> > key locations before assigning
> > assertion.setSignature(___)?http://www.programcreek.com/java-api-
> > examples/index.php?api=org.opensaml.xml.signature.Signature
> > 
> > MG>/thanks dennis/
> [orcmid] 
> 
> This signing had nothing to do with MIME-signatures or SSL.  It is a 
> plaintext message that has a "clearsign" OpenPGP signed section in-line in 
> the message body.  (The signed part was created first and then pasted into 
> the plaintext email.)  You can see the archived form at
> 
>  where it is the only message there. At the bottom of the HTML-formatted 
> display of the message, select the "Unnamed text/plain" link to see a cleaner 
> plaintext.  
> 
> This is not unlike the .asc files that can be made as external PGP signatures 
> of code, except it is inline instead of external to the file being signed.
> 
> > >
> > > (I made another check of the archived message too.  The raw form of
> > the message fails to verify when downloaded and that appears to be on
> > account of some encoding features that have to be processed properly for
> > the original text to be reconstituted properly. That might or might not
> > be relevant to how that recipient's email reader handles PGP
> > > signatures.)
> [orcmid] 
> 
> (If you look at the raw version on the archive, you will see a pile of =20 
> line endings that make the raw form unverifiable.  And because the signature 
> block has a line ending in =, there is an appended raw "3D" that breaks the 
> whole thing. A client that does not restore the plaintext before checking the 
> signature will claim that the signature is "BAD".)
> 
> PS: I sent the same message to a colleague who has a PGP-aware email client, 
> and the message verified automatically and was presented without the 
> boundaries and the signature block.  Instead, there was a marker that 
> indicated the part of the message that was signed.  So it would appear that 
> the person who reported to me encountered an interoperability failure.
> > >
> [ ... ]
> 
> 
> -
> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
> For additional commands, e-mail: general-h...@incubator.apache.org
>

Re: What is our longest incubation time

2016-07-28 Thread Bertrand Delacretaz

Salut Jean-Frédéric,

On Thu, Jul 28, 2016 at 12:00 PM, jean-frederic clere  wrote:
> There isn't a limit of the time for a podling to stay in incubation,
> correct?

That's correct, though the PMC regularly looks at "very old" podlings.

> ...I am curious about what is longest time between the start of incubation
> and graduation of a project, any hints?...

http://incubator.apache.org/clutch.html has the current podlings, Wave
which started in late 2010 is the oldest IIUC.

I don't know if we have data on graduated podlings.

-Bertrand

-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

What is our longest incubation time

2016-07-28 Thread jean-frederic clere

Hi,

There isn't a limit of the time for a podling to stay in incubation,
correct?

I am curious about what is longest time between the start of incubation
and graduation of a project, any hints?

Cheers

Jean-Frederic

-
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

RE: Code signing and WOT for releases

RE: Code signing and WOT for releases

RE: Code signing and WOT for releases

Re: What is our longest incubation time

What is our longest incubation time

5 matches

Site Navigation

Mail list logo

Footer information