On Tue, 31 Dec 2013 13:27:30 -0500
Daniel Kahn Gillmor wrote:
> On 12/31/2013 01:19 PM, Graham Leggett wrote:
> > It is also a statement of what keys have historically been used to
> > sign past artifacts, and that is just as important.
>
> These are distinct things, though. It would be great i
On 12/31/2013 01:19 PM, Graham Leggett wrote:
> It is also a statement of what keys have historically been used to sign past
> artifacts, and that is just as important.
These are distinct things, though. It would be great if the apache
project could separately identify which keys are going to be
On 31 Dec 2013, at 20:07, Issac Goldstand wrote:
> Not in this case. Revoking would be a statement by the key owner that
> the key is no good (something that would probably be smart to do, but at
> the same time way out of the PMC's control). Pruning the KEYS file is a
> statement by the PMC ab
Not in this case. Revoking would be a statement by the key owner that
the key is no good (something that would probably be smart to do, but at
the same time way out of the PMC's control). Pruning the KEYS file is a
statement by the PMC about what keys the PMC authorizes to sign artifacts.
Issa
Isn't the "normal" solution path - rather than prune, to revoke keys?
On Fri, Dec 27, 2013 at 4:53 PM, Frederick Miller wrote:
> Please remove me from this email list. Please unsubscribe me. Thanks.
>
>
> On Fri, Dec 27, 2013 at 10:49 AM, Daniel Kahn Gillmor <
> d...@fifthhorseman.net> wrote:
>
Please remove me from this email list. Please unsubscribe me. Thanks.
On Fri, Dec 27, 2013 at 10:49 AM, Daniel Kahn Gillmor wrote:
> On 12/26/2013 06:18 PM, Nick Kew wrote:
> > You're ahead of us. Individual Apache folks like Jim have taken
> > responsibility and moved to 4096-bit keys, but w
On 12/26/2013 06:18 PM, Nick Kew wrote:
> You're ahead of us. Individual Apache folks like Jim have taken
> responsibility and moved to 4096-bit keys, but we haven't as a
> community had the discussion that might lead to pruning KEYS.
> My inclination is to say NO to requiring anyone to remove old
On 26 Dec 2013, at 21:47, Daniel Kahn Gillmor wrote:
> As part of the dicsussion, it's become clear that some of the keys in
> https://www.apache.org/dist/httpd/KEYS are weak by any modern
> consideration of public key cryptography. Could this set of keys be
> pruned?
You're ahead of us. Indiv
Hi apache folks--
In http://bugs.debian.org/732450, debian is preparing to
cryptographically verify OpenPGP signatures on apache upstream tarballs.
As part of the dicsussion, it's become clear that some of the keys in
https://www.apache.org/dist/httpd/KEYS are weak by any modern
consideration of
