The board took up this subject briefly at our Aug 29th meeting. Below is the board's feedback;
Marshall Schor wrote: > > Apache signing, to my knowledge, doesn't require use of a certificate > authority. Apache projects post trusted signatories in a KEYS or equivalent file within the http://www.apache.org/dist/{project}/ distribution location. You may also advertise any key within the http://people.apache.org/ committers view by following the instructions on that site for maintaining your .foaf entry. PGP keys should also be registered at the pgp.mit.edu keyserver, and we ask you to countersign one anothers' keys at an appropriate event, such as the ApacheCon key signing events. However, the board considers any personal signing mechanism to be equivalent and appropriate. So signing a tarball with your PGP key, or a jar with your Java Code Signing Certificate, or a .NET assembly with a Code Signing Cert would all be equivalent. Simply document the trusted certificates in the appropriate distribution/download directories, and preferably include some short comments or instructions for users to obtain/validate the signatures of packages they download. > I'd be interested to learn if others have gone down the Java JAR signing > path, and if so, > - is it considered an OK alternative to Apache signing, Source tarballs should still be signed with your pgp key. Binaries can be signed (as appropriate) with your code signing certificate as necessary. > - how did you get a certificate authority to verify ownership of your > signing key If this becomes a frequently used approach and proves to be an issue, the board will take up the issue of considering obtaining a signing authority certificate and signing individual certificates at some point in the future, once a specific proposal is brought to us. Bill --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
