Re: ASF Web of Trust [was: Release Distribution Strategy]
On 10/29/07, Niclas Hedhman [EMAIL PROTECTED] wrote: On Sunday 28 October 2007 23:15, Erik Abele wrote: As BenL always says: I don't give a shit about some random document, that could be faked anyway. All I care about is the email address connected to the key I intend to sign - is it really the address of the person in question?. Ok, and if you don't know the individual in person, you put the trust in a Driver's license or similar... but doesn't really care how that 'trust' was established. I must be plain dumb, but I don't get why this provides any comfort to end-users, even if they manage to figure out what to do with the .ASCs (I bet a very small percentage do). most users should check the hashes (not the signatures) anyone who is not well-connected to the apache WOT gains only a little security by using a signature and only that if they understand WOT concepts pretty well. providing that release managers are well connected to the apache WOT then two small (but very important) groups of users typically fall into this category: apache members and downstream release managers. that is why apache insists on them. And that is why I am asking for better tooling. +1 IMO this needs to be done at the protocol level See also http://wiki.apache.org/apachecon/PgpKeySigning Ok, it shows half the picture; How to sign the keys are left out... see http://people.apache.org/~henkp/ as well as tooling support for verifications. http://httpd.apache.org/dev/verification.html U, we probably have more than a million users. Do we expect them all to get a hook into the WOT ?? IMHO, there is something wrong with that picture... no - but we do expect the apache infrastructure team to be Couldn't a simple; http://www.apache.org/verify where I put the ASC file (and the MD5 of download??) and get a Authenticated or not response be done?? If that is too hard to automate, I don't think we ever will see any increase in user awareness. The process on the above page is beyond most users' imagination. IMO this needs to be done at the protocol level to gain the required security (rather than just the appearance of security). if there's anyone around who's active on HTTP standards then now would be a great time to jump in... - robert - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: ASF Web of Trust [was: Release Distribution Strategy]
On 29.10.2007, at 03:13, Niclas Hedhman wrote: On Sunday 28 October 2007 23:15, Erik Abele wrote: As BenL always says: I don't give a shit about some random document, that could be faked anyway. All I care about is the email address connected to the key I intend to sign - is it really the address of the person in question?. Ok, and if you don't know the individual in person, you put the trust in a Driver's license or similar... but doesn't really care how that 'trust' was established. There's a ton of interpretations and levels of trust out there; I suggest you consult Google for that. I must be plain dumb, but I don't get why this provides any comfort to end-users, even if they manage to figure out what to do with the .ASCs (I bet a very small percentage do). Well, if you verify an ASF release it can show you two things: a) if the signature is good you know that the file has not been tampered with; it's the same as when the release was originally cut by the RM b) if you can establish a trust path to the signer of the file then you can be pretty sure that it's a legit release and not a faked one Again, please see http://httpd.apache.org/dev/verification.html - especially the sections on Checking Signatures [a) above] and Validating Authenticity of a Key [b) above]. Re small percentage: I doubt that most users even care; the majority probably won't even think about it :( And that is why I am asking for better tooling. Ok, feel free to improve that :-) See also http://wiki.apache.org/apachecon/PgpKeySigning Ok, it shows half the picture; How to sign the keys are left out... See one of the billions of tutorials in Google, or simply man gpg (--sign-key or --edit-key). as well as tooling support for verifications. http://httpd.apache.org/dev/verification.html U, we probably have more than a million users. Do we expect them all to get a hook into the WOT ?? IMHO, there is something wrong with that picture... The million users don't even care about all that - the ones who do will find a way to connect the dots or even get into the WOT (see examples provided by Robert). E.g. if I see that a release is signed by the key XYZ of S. Striker and I go and fetch that key from a public keyserver and take a look at the list of signatures, I'll find out that there a names like Roy T. Fielding, Jim Jagielski, and so on... now, when I compare the fingerprints and maybe also have a look at http://www.apache.org/dist/ httpd/KEYS then I can be pretty sure that the release was made by an official member of the HTTPD PMC - that should be enough for Random Joe to feel comfortable... Couldn't a simple; http://www.apache.org/verify where I put the ASC file (and the MD5 of download??) and get a Authenticated or not response be done?? If that is too hard to automate, I don't think we ever will see any increase in user awareness. http://people.apache.org/~henkp/cgi-bin/md5.cgi will verify the MD5 for you - it doesn't really make sense to have the same for PGP signatures IMHO. The process on the above page is beyond most users' imagination. As said, they probably don't even care otherwise they would know... Cheers, Erik - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: ASF Web of Trust [was: Release Distribution Strategy]
On 29.10.2007, at 13:49, Robert Burrell Donkin wrote: ... IMO this needs to be done at the protocol level to gain the required security (rather than just the appearance of security). if there's anyone around who's active on HTTP standards then now would be a great time to jump in... And back to '94: http://hoohoo.ncsa.uiuc.edu/docs/PEMPGP.html Or for a more recent effort: http://mail-archives.apache.org/mod_mbox/httpd-dev/200707.mbox/% [EMAIL PROTECTED] http://www.buanzo.com.ar/sec/enigform.en.html http://freshmeat.net/articles/view/2599 HTH... Cheers, Erik - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: ASF Web of Trust [was: Release Distribution Strategy]
On 29/10/2007, Erik Abele [EMAIL PROTECTED] wrote: On 29.10.2007, at 03:13, Niclas Hedhman wrote: On Sunday 28 October 2007 23:15, Erik Abele wrote: As BenL always says: I don't give a shit about some random document, that could be faked anyway. All I care about is the email address connected to the key I intend to sign - is it really the address of the person in question?. Ok, and if you don't know the individual in person, you put the trust in a Driver's license or similar... but doesn't really care how that 'trust' was established. There's a ton of interpretations and levels of trust out there; I suggest you consult Google for that. I must be plain dumb, but I don't get why this provides any comfort to end-users, even if they manage to figure out what to do with the .ASCs (I bet a very small percentage do). Well, if you verify an ASF release it can show you two things: a) if the signature is good you know that the file has not been tampered with; it's the same as when the release was originally cut by the RM b) if you can establish a trust path to the signer of the file then you can be pretty sure that it's a legit release and not a faked one Even if you can't establish a trust path, the PGP signature gives a bit more assurance than a hash. The KEY file should be in SVN, so you can ensure that the person that added the key to the KEY file was at least a committer to SVN. Again, please see http://httpd.apache.org/dev/verification.html - especially the sections on Checking Signatures [a) above] and Validating Authenticity of a Key [b) above]. Re small percentage: I doubt that most users even care; the majority probably won't even think about it :( And that is why I am asking for better tooling. Ok, feel free to improve that :-) See also http://wiki.apache.org/apachecon/PgpKeySigning Ok, it shows half the picture; How to sign the keys are left out... See one of the billions of tutorials in Google, or simply man gpg (--sign-key or --edit-key). as well as tooling support for verifications. http://httpd.apache.org/dev/verification.html U, we probably have more than a million users. Do we expect them all to get a hook into the WOT ?? IMHO, there is something wrong with that picture... The million users don't even care about all that - the ones who do will find a way to connect the dots or even get into the WOT (see examples provided by Robert). E.g. if I see that a release is signed by the key XYZ of S. Striker and I go and fetch that key from a public keyserver and take a look at the list of signatures, I'll find out that there a names like Roy T. Fielding, Jim Jagielski, and so on... now, when I compare the fingerprints and maybe also have a look at http://www.apache.org/dist/ httpd/KEYS then I can be pretty sure that the release was made by an official member of the HTTPD PMC - that should be enough for Random Joe to feel comfortable... Couldn't a simple; http://www.apache.org/verify where I put the ASC file (and the MD5 of download??) and get a Authenticated or not response be done?? If that is too hard to automate, I don't think we ever will see any increase in user awareness. http://people.apache.org/~henkp/cgi-bin/md5.cgi will verify the MD5 for you - it doesn't really make sense to have the same for PGP signatures IMHO. The process on the above page is beyond most users' imagination. As said, they probably don't even care otherwise they would know... Cheers, Erik - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: ASF Web of Trust [was: Release Distribution Strategy]
-Original Message- From: sebb [mailto:[EMAIL PROTECTED] Even if you can't establish a trust path, the PGP signature gives a bit more assurance than a hash. The KEY file should be in SVN, so you can ensure that the person that added the key to the KEY file was at least a committer to SVN. That's only for the users who have https access to SVN (and who can reliably verify the SSH key of the server). The others have to assume that server from which they are reading the KEY file is the real one. Gilles - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: ASF Web of Trust [was: Release Distribution Strategy]
On Monday 29 October 2007 21:26, Erik Abele wrote: The process on the above page is beyond most users' imagination. As said, they probably don't even care otherwise they would know... I rest my case; If I don't care about routing tables in TCP/IP stacks, I don't need Internet, right? Asking me to do something about it, is also asking at the wrong end, since I am a newbie at the topic and barely trust myself getting anything right. I guess this is getting out of scope for Incubator... Cheers Niclas - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: ASF Web of Trust [was: Release Distribution Strategy]
On 29.10.2007, at 16:02, Niclas Hedhman wrote: On Monday 29 October 2007 21:26, Erik Abele wrote: The process on the above page is beyond most users' imagination. As said, they probably don't even care otherwise they would know... I rest my case; If I don't care about routing tables in TCP/IP stacks, I don't need Internet, right? Oh come on, if you don't know how to drive a car you probably shouldn't drive one, right? We're not talking about rocket science here, and fwiw, the majority of the general users are simply not verifying any of their downloads... also we're not talking about your mum (no pun intended!), our user-base consists mostly of developers, administrators, etc. and these people simply know how to do it, please read Roberts examples. We also have the MD5 hashes (incl. web-interface) which are more than sufficient for the big masses who simply want to double-click... Asking me to do something about it, is also asking at the wrong end, since I am a newbie at the topic and barely trust myself getting anything right. Well, that's the way we operate - scratch your itch and so on... :) And fwiw, I was a newbie too but that doesn't prevent you from diving in etc. I personally simply have no time and interest in this, though I also don't object to improvements. I guess this is getting out of scope for Incubator... Aye, feel free to circle back to community@ - maybe someone has the same itch and comes up with something. Maybe https://issues.apache.org/jira/browse/INFRA-1387 is a start for solving some of your concerns? (Note the reference about automatically checking the md5 hashes in the report, I think that'd be a nice benefit of using something like that, as Joshua also pointed out.) Cheers, Erik - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: ASF Web of Trust [was: Release Distribution Strategy]
On 29/10/2007, Gilles Scokart [EMAIL PROTECTED] wrote: -Original Message- From: sebb [mailto:[EMAIL PROTECTED] Even if you can't establish a trust path, the PGP signature gives a bit more assurance than a hash. The KEY file should be in SVN, so you can ensure that the person that added the key to the KEY file was at least a committer to SVN. That's only for the users who have https access to SVN (and who can reliably verify the SSH key of the server). The others have to assume that server from which they are reading the KEY file is the real one. Strictly speaking, yes. The KEY file can be downloaded without needing https access, but as you point out, this is not necessarily a guarantee of authenticity. However, it is one more obstacle that a hacker would have to surmount - they would have to subvert the SVN host as well as the main apache host holding the KEY file. Gilles - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: ASF Web of Trust [was: Release Distribution Strategy]
On 10/29/07, Erik Abele [EMAIL PROTECTED] wrote: On 29.10.2007, at 16:02, Niclas Hedhman wrote: snip Asking me to do something about it, is also asking at the wrong end, since I am a newbie at the topic and barely trust myself getting anything right. Well, that's the way we operate - scratch your itch and so on... :) +1 sometimes only energy is all that's really needed. passion goes a lot way. I guess this is getting out of scope for Incubator... maybe, maybe not - incubator has a role to play in developing best practice Aye, feel free to circle back to community@ - maybe someone has the same itch and comes up with something. Maybe https://issues.apache.org/jira/browse/INFRA-1387 is a start for solving some of your concerns? (Note the reference about automatically checking the md5 hashes in the report, I think that'd be a nice benefit of using something like that, as Joshua also pointed out.) the automatic checking sounds good - probably worth taking a closer look at - robert - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: ASF Web of Trust [was: Release Distribution Strategy]
On 28.10.2007, at 08:57, Niclas Hedhman wrote: On Sunday 28 October 2007 06:24, Noel J. Bergman wrote: Perhaps we should add some information on getting into the Web of Trust, although that is really a general committer item, not Incubator specific. I am not very security fluent, and perhaps someone could explain to me; What is the difference of being an Apache committer/Member with the *signed* ICLA, which indeed is a legal document, and that other ASF folks has seen your driver's license (et al) and signed you into the web of trust? Um, these two things are totally unrelated. From my perspective, the latter is not legally binding and at the most act as some form of someone has identified it to be a real person with that name... Aye, given that you trust the government-issued doc (like a drivers license)... As BenL always says: I don't give a shit about some random document, that could be faked anyway. All I care about is the email address connected to the key I intend to sign - is it really the address of the person in question?. FWIW, I think ASF should increase the efforts in the ASF Web of Trust, both getting more people engaged (like myself, I can't figure out the practical details on how to go about it) Get a key, print the fingerprint and come to an AC and let it sign by some other folks - that's it. See also http://wiki.apache.org/apachecon/PgpKeySigning as well as tooling support for verifications. http://httpd.apache.org/dev/verification.html Cheers, Erik - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: ASF Web of Trust [was: Release Distribution Strategy]
On 10/28/07, Erik Abele [EMAIL PROTECTED] wrote: On 28.10.2007, at 08:57, Niclas Hedhman wrote: snip as well as tooling support for verifications. http://httpd.apache.org/dev/verification.html IMHO verification is too important to be left to users. perhaps HTTP could be extended by a 3xx Mirrored response. headers could return a list of mirrors together with hashes, signatures and links to keys. - robert - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: ASF Web of Trust [was: Release Distribution Strategy]
Hi, Some background on the web of trust (wot) that ASF uses for signers of code releases is at http://en.wikipedia.org/wiki/Web_of_trust You correctly point out that the icla is a binding document in which the party signing the document grants certain intellectual property rights to the ASF. The signature on this document is not verified to be the signature of a real person. It could be anyone. But whoever signed the document and commits code under the name in the document is assumed to have the authority to do so. The wot is a different thing. It grants no authority and has no inherent rights. The only thing it attempts to guarantee is that the real person who is in the wot is the person who is responsible for signing the releases. The primary way the Apache wot is increased is at signing parties usually but not necessarily conducted during ApacheCons. A signing party can be held any time as long as there are two people who want to confirm each others' identity and add to the wot. At least one of the people at the signing party is already a member of the wot. If only one, then the wot created at the party is connected to the Apache wot via one or more strands of trust (I made that up). Craig On Oct 28, 2007, at 12:57 AM, Niclas Hedhman wrote: On Sunday 28 October 2007 06:24, Noel J. Bergman wrote: Perhaps we should add some information on getting into the Web of Trust, although that is really a general committer item, not Incubator specific. I am not very security fluent, and perhaps someone could explain to me; What is the difference of being an Apache committer/Member with the *signed* ICLA, which indeed is a legal document, and that other ASF folks has seen your driver's license (et al) and signed you into the web of trust? From my perspective, the latter is not legally binding and at the most act as some form of someone has identified it to be a real person with that name... FWIW, I think ASF should increase the efforts in the ASF Web of Trust, both getting more people engaged (like myself, I can't figure out the practical details on how to go about it) as well as tooling support for verifications. Cheers Niclas - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Craig Russell Architect, Sun Java Enterprise System http://java.sun.com/products/jdo 408 276-5638 mailto:[EMAIL PROTECTED] P.S. A good JDO? O, Gasp! smime.p7s Description: S/MIME cryptographic signature
Re: ASF Web of Trust [was: Release Distribution Strategy]
On Sunday 28 October 2007 23:15, Erik Abele wrote: As BenL always says: I don't give a shit about some random document, that could be faked anyway. All I care about is the email address connected to the key I intend to sign - is it really the address of the person in question?. Ok, and if you don't know the individual in person, you put the trust in a Driver's license or similar... but doesn't really care how that 'trust' was established. I must be plain dumb, but I don't get why this provides any comfort to end-users, even if they manage to figure out what to do with the .ASCs (I bet a very small percentage do). And that is why I am asking for better tooling. See also http://wiki.apache.org/apachecon/PgpKeySigning Ok, it shows half the picture; How to sign the keys are left out... as well as tooling support for verifications. http://httpd.apache.org/dev/verification.html U, we probably have more than a million users. Do we expect them all to get a hook into the WOT ?? IMHO, there is something wrong with that picture... Couldn't a simple; http://www.apache.org/verify where I put the ASC file (and the MD5 of download??) and get a Authenticated or not response be done?? If that is too hard to automate, I don't think we ever will see any increase in user awareness. The process on the above page is beyond most users' imagination. Cheers Niclas - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
