Re: key signing

2012-10-16 Thread Noah Slater
s to me that the there is a gap in the incubation process, and > I don't know how to fill it. > > As far as I can see, we don't do anything to facilitate or encourage > getting PGP keys signed. We tell people to create a key and put it in > the SVN 'keys' file. >

Re: key signing

2012-10-16 Thread Noah Slater
On Mon, Oct 15, 2012 at 1:46 PM, Benson Margulies wrote: > > 1) send email to him and his PMC fellows, referencing this thread, as > evidence that key signing is nice but optional. This seems like the most sensible option. AFAIK, signed keys have never been required to sign releases f

RE: key signing

2012-10-15 Thread Dennis E. Hamilton
onday, October 15, 2012 11:22 To: Dennis E. Hamilton Cc: general@incubator.apache.org Subject: Re: key signing Dennis E. Hamilton wrote on Mon, Oct 15, 2012 at 11:07:56 -0700: > <https://people.apache.org/keys/committer/orcmid.asc>. (I'm not sure > where this is fetched from, so I&

Re: key signing

2012-10-15 Thread Daniel Shahaf
Dennis E. Hamilton wrote on Mon, Oct 15, 2012 at 11:07:56 -0700: > . (I'm not sure > where this is fetched from, so I'm not sure how counter-signed versions Currently keys.gnupg.net https://svn.apache.org/repos/asf/infrastructure/site/trunk/pe

RE: key signing

2012-10-15 Thread Dennis E. Hamilton
s/committer/orcmid.asc>. (I'm not sure where this is fetched from, so I'm not sure how counter-signed versions show up.) I am continuing to experiment. -Original Message- From: Benson Margulies [mailto:bimargul...@gmail.com] Sent: Monday, October 15, 2012 05:46 To: general@

Re: key signing

2012-10-15 Thread Marvin Humphrey
On Mon, Oct 15, 2012 at 6:02 AM, Nick Burch wrote: > So, for a short-term fix for your potential Release Manger, I'd suggest you > get them in touch with a nearby local mentor. Why is raising the barrier to entry for new Release Managers better than having multiple experienced PMC members sign a

Re: key signing

2012-10-15 Thread Marvin Humphrey
;s *necessary* for him to come up with one or more signatures on his > key to act at an RM. > > Choices: > > 1) send email to him and his PMC fellows, referencing this thread, as > evidence that key signing is nice but optional. In my opinion, the best thing to do would be

Re: key signing

2012-10-15 Thread Nick Burch
On Mon, 15 Oct 2012, Benson Margulies wrote: Choices: There is another option, which I mentioned in the other key signing thread on members@, which applies equally here too. Reposting my answer from there, with a few tweaks... In-person keysigning doesn't just have to be at Apach

Re: key signing

2012-10-15 Thread Benson Margulies
t at an RM. Choices: 1) send email to him and his PMC fellows, referencing this thread, as evidence that key signing is nice but optional. 2) go ahead and sign his key based on simple email. I'm a very bad paranoid; I'm not interested in the idea that some person out there is anxious to

Re: key signing

2012-10-11 Thread Marvin Humphrey
On Thu, Oct 11, 2012 at 1:29 PM, Daniel Shahaf wrote: > 1) RM prepares tarball, signs, uploads for voting > 2) voting passes > 3) mentor appends his signature to the .asc file > 4) artifacts posted to dist/ > > That solves the problem for end users until the RM attends a keysigning > party. +1 G

Re: key signing

2012-10-11 Thread Daniel Shahaf
Marvin Humphrey wrote on Thu, Oct 11, 2012 at 11:46:23 -0700: > In my opinion, general@incubator is an appropriate venue to explore ways in > which the system can be improved. That will necessarily mean talking about I am sure there are crypto minds in the ASF who aren't on general@incubator.

Re: key signing

2012-10-11 Thread Daniel Shahaf
the place to develop it. > > The Incubator is where the acute need exists, because we are bootstrapping > entire communities where no one is linked into the web of trust. > > For existing projects, the longer they've been around, the more likely that a > significant number of c

RE: key signing

2012-10-11 Thread Dennis E. Hamilton
other factors are you thinking of? (I am not sure how many factors signings by others count as new factors.) - Dennis -Original Message- From: Marvin Humphrey [mailto:mar...@rectangular.com] Sent: Thursday, October 11, 2012 11:46 To: general@incubator.apache.org Subject: Re: key signing O

Re: key signing

2012-10-11 Thread Marvin Humphrey
mmunities where no one is linked into the web of trust. For existing projects, the longer they've been around, the more likely that a significant number of committers have attended an ApacheCon key-signing party or otherwise had an opportunity to get their keys signed. But here, we see new R

Re: key signing

2012-10-11 Thread Marvin Humphrey
In the short term, it provides footage for third parties contacted out-of-band (via e.g. phone or email) to review and provide testimonials: "Yes, that's my colleague Noah Slater, who I've known for 5 years". Should the video archive mysteriously vanish before that loop closes,

Re: key signing

2012-10-11 Thread Nick Kew
On 11 Oct 2012, at 17:14, Dennis E. Hamilton wrote: > @Nick > > I don't understand the supposed attack vector concerning the file digests > being of no value and the WoT being essential. > > - Dennis > > ANALYSIS > > So long as the digest value is obtained from a reliable read-only source, i

RE: key signing

2012-10-11 Thread Dennis E. Hamilton
on of trust and how it is noticed is an aspect of WoT that I have not investigated.) -Original Message- From: Nick Kew [mailto:n...@webthing.com] Sent: Thursday, October 11, 2012 06:46 To: general@incubator.apache.org Subject: Re: key signing On 11 Oct 2012, at 09:57, Noah Slater wrot

RE: key signing

2012-10-11 Thread Dennis E. Hamilton
regard to checking digital signatures on release candidates and in any subsequent forensic investigation/confirmation. - Dennis -Original Message- From: Dennis E. Hamilton [mailto:orc...@apache.org] Sent: Thursday, October 11, 2012 08:19 To: general@incubator.apache.org Subject: RE: k

Re: key signing

2012-10-11 Thread Nick Kew
On 11 Oct 2012, at 09:57, Noah Slater wrote: > On Thu, Oct 11, 2012 at 9:01 AM, Nick Kew wrote: > >> >> You have to extend that assumption not only to our infrastructure but to >> every proxy that might come between us and a user, and that might >> substitute a trojan along with the trojan's o

RE: key signing

2012-10-11 Thread Dennis E. Hamilton
have to take any special steps at all, other than pay attention to the warning dialogs that the platform coughs up. -Original Message- From: Benson Margulies [mailto:bimargul...@gmail.com] Sent: Thursday, October 11, 2012 05:20 To: general@incubator.apache.org Subject: Re: key signing

Re: key signing

2012-10-11 Thread Nick Kew
On 11 Oct 2012, at 13:19, Benson Margulies wrote: > Over and above that, we could then ask, 'how could we improve > protection against most complex problems?' Now that's something the ASF might indeed be well-qualified to hack. Improved end-user tools (e.g. browser plugins) to take advantage of

Re: key signing

2012-10-11 Thread Daniel Shahaf
sebb wrote on Thu, Oct 11, 2012 at 09:48:25 +0100: > On 11 October 2012 02:39, Daniel Shahaf wrote: > > Greg Stein wrote on Wed, Oct 10, 2012 at 21:31:30 -0400: > >> Not too much. We still instruct users "take the signatures and verify > >> them against blah.apache.org/KEYS". John Blackhat could r

Re: key signing

2012-10-11 Thread Martijn Dashorst
On Thu, Oct 11, 2012 at 10:57 AM, Noah Slater wrote: > Which is why we link to the .md5, .sha, .asc, and KEYS files on our severs. > Unless you're assuming a MITM along the request/response path to apache.org, > in which case all bets are off anyway. No? Which is why I have my release vote messag

Re: key signing

2012-10-11 Thread Noah Slater
On Thu, Oct 11, 2012 at 9:48 AM, sebb wrote: > On 11 October 2012 02:39, Daniel Shahaf wrote: > > Greg Stein wrote on Wed, Oct 10, 2012 at 21:31:30 -0400: > >> Not too much. We still instruct users "take the signatures and verify > >> them against blah.apache.org/KEYS". John Blackhat could repla

Re: key signing

2012-10-11 Thread Noah Slater
On Thu, Oct 11, 2012 at 9:01 AM, Nick Kew wrote: > > You have to extend that assumption not only to our infrastructure but to > every proxy that might come between us and a user, and that might > substitute a trojan along with the trojan's own SHA1. > The same reasoning holds for the .asc file.

Re: key signing

2012-10-11 Thread sebb
On 11 October 2012 02:39, Daniel Shahaf wrote: > Greg Stein wrote on Wed, Oct 10, 2012 at 21:31:30 -0400: >> Not too much. We still instruct users "take the signatures and verify >> them against blah.apache.org/KEYS". John Blackhat could replace the >> signatures and install his entry into KEYS. >

Re: key signing

2012-10-11 Thread Nick Kew
On 11 Oct 2012, at 00:44, Greg Stein wrote: > Please explain how "keys" are needed for this ASF release? Consumers are > already told to verify the SHA1 and nothing more. I doubt any more is > needed. SHA1 offers no more protection than a checksum against MITM attack. > (assume secure Infrastru

Re: key signing

2012-10-11 Thread Branko Čibej
On 10.10.2012 00:01, Marvin Humphrey wrote: > While this protocol does not rely heavily on validating > government-issued IDs, the Debian guidelines quoted above point out > that some people object to giving such IDs too much creedence: So instead of giving too much credence to government-issued I

Re: key signing

2012-10-10 Thread Peter Karman
Greg Stein wrote on 10/10/12 6:44 PM: > I've read this entire thread (whew!), and would actually like to throw out > a contrary position: > > No signed keys. +1 -- Peter Karman . http://peknet.com/ . pe...@peknet.com - To

Re: key signing

2012-10-10 Thread Daniel Shahaf
Greg Stein wrote on Wed, Oct 10, 2012 at 21:40:18 -0400: > On Wed, Oct 10, 2012 at 9:35 PM, Daniel Shahaf > wrote: > > Greg Stein wrote on Wed, Oct 10, 2012 at 21:14:15 -0400: > >... > >> My point is that our instructions to users don't really incorporoate > >> the notions of "keys", and (thus) p

Re: key signing

2012-10-10 Thread Greg Stein
there is no binding. I'm only considering a binding against the ASF. It is residing on our infrastructure, its checksum matches, therefore it must be authentic. Does the extra glue really matter? Do we really need to figure out key signing parties? What are we truly getting out of this? I

Re: key signing

2012-10-10 Thread Daniel Shahaf
Greg Stein wrote on Wed, Oct 10, 2012 at 21:31:30 -0400: > Not too much. We still instruct users "take the signatures and verify > them against blah.apache.org/KEYS". John Blackhat could replace the > signatures and install his entry into KEYS. If you use https://people.apache.org/keys/ instead of

Re: key signing

2012-10-10 Thread Daniel Shahaf
Greg Stein wrote on Wed, Oct 10, 2012 at 21:14:15 -0400: > On Wed, Oct 10, 2012 at 9:10 PM, Daniel Shahaf > wrote: > > Greg Stein wrote on Wed, Oct 10, 2012 at 19:44:30 -0400: > >> I've read this entire thread (whew!), and would actually like to throw out > >> a contrary position: > >> > >> No si

Re: key signing

2012-10-10 Thread Greg Stein
On Wed, Oct 10, 2012 at 7:53 PM, Ian Holsman wrote: > On Oct 11, 2012, at 10:44 AM, Greg Stein wrote: >> (assume secure Infrastructure) > > That's a pretty big assumption isn't it? Empirically, we've had break-ins, so we can assume it will happen again. But now you're talking that somebody has t

RE: key signing

2012-10-10 Thread Dennis E. Hamilton
x27;t have to do a WoT signing though. This is a pretty standard ceremony for an e-mail "non-persona." - Dennis -Original Message- From: Greg Stein [mailto:gst...@gmail.com] Sent: Wednesday, October 10, 2012 16:45 To: general@incubator.apache.org Subject: Re: key signing I

Re: key signing

2012-10-10 Thread Greg Stein
On Wed, Oct 10, 2012 at 9:10 PM, Daniel Shahaf wrote: > Greg Stein wrote on Wed, Oct 10, 2012 at 19:44:30 -0400: >> I've read this entire thread (whew!), and would actually like to throw out >> a contrary position: >> >> No signed keys. >> >> Consider: releases come from the ASF, not a person. > >

Re: key signing

2012-10-10 Thread Daniel Shahaf
Greg Stein wrote on Wed, Oct 10, 2012 at 19:44:30 -0400: > I've read this entire thread (whew!), and would actually like to throw out > a contrary position: > > No signed keys. > > Consider: releases come from the ASF, not a person. Therefore, releases should be signed by the ASF as an organisat

Re: key signing

2012-10-10 Thread Daniel Shahaf
Ian Holsman wrote on Thu, Oct 11, 2012 at 10:53:11 +1100: > > On Oct 11, 2012, at 10:44 AM, Greg Stein wrote: > > > > > (assume secure Infrastructure) > > That's a pretty big assumption isn't it? > There have been public instances where open source infrastructures have been > hacked, and rele

Re: key signing

2012-10-10 Thread Ian Holsman
On Oct 11, 2012, at 10:44 AM, Greg Stein wrote: > > (assume secure Infrastructure) That's a pretty big assumption isn't it? There have been public instances where open source infrastructures have been hacked, and releases have been messed with. I think keys removes the need for the assumpti

Re: key signing

2012-10-10 Thread Greg Stein
me that the there is a gap in the incubation process, and > I don't know how to fill it. > > As far as I can see, we don't do anything to facilitate or encourage > getting PGP keys signed. We tell people to create a key and put it in > the SVN 'keys' file.

Re: key signing

2012-10-10 Thread Nick Kew
On 10 Oct 2012, at 17:04, Marvin Humphrey wrote: > In my opinion, we have sufficient expertise here at the ASF to devise an > authentication protocol whose reliability exceeds that of individuals > participating unsupervised in a web of trust, particularly if the protocol > were to incorporate ar

Re: key signing - trust path check

2012-10-10 Thread Noah Slater
This is awesome! Unfortunately I (61D50B88) am not in the strong set. Bummer. :( On Wed, Oct 10, 2012 at 2:43 PM, Shane Curcuru wrote: > Anyone interested in details of PGP signing and tracing trust paths at the > ASF should say thank you to long-time member henkp who has done a ton of > work do

Re: key signing

2012-10-10 Thread Noah Slater
Most people develop their own key signing policy and publish it. Or organisations as a whole do, and ask their members to adhere to it. Something which we might want to consider formalising. On Wed, Oct 10, 2012 at 10:18 PM, Benson Margulies wrote: > Just to be clear, I don't think I

Re: key signing

2012-10-10 Thread Benson Margulies
Just to be clear, I don't think I've ever signed a key in my life. In part, because this criteria seem impossibly mushy. - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h

Re: key signing

2012-10-10 Thread Noah Slater
I've said it already in this thread, but I will say it one last time before I drop it. Archiving video provides zero benefits, beyond the human to human connection of seeing what somebody looks like. It provides no way to establish identity or ownership of email/keys that email does not already pro

Re: key signing

2012-10-10 Thread Noah Slater
On Wed, Oct 10, 2012 at 3:20 PM, Ted Dunning wrote: > > I have friends who live far away. I know them well. I don't know their > key fingerprint. > > If we send emails or if we text back and forth I not clear that it is > them. If I have a video conference and the hold up the fingerprint I kn

Re: key signing

2012-10-10 Thread Florian Holeczek
shocked by how carelessly some would sign a key though, too, and that's what I meant by weak rules. Defining a good key signing protocol containing multiple factors, like you've mentioned in a different mail on this th

RE: key signing

2012-10-10 Thread Dennis E. Hamilton
From: Dennis E. Hamilton [mailto:orc...@apache.org] Sent: Wednesday, October 10, 2012 09:28 To: general@incubator.apache.org Subject: RE: key signing [ ... ] I think the fundamental problems are that (1) this trust structure is not widely understood, even among (new) committers, and (2) the proce

RE: key signing

2012-10-10 Thread Dennis E. Hamilton
it has little to do with the trustworthiness of digital certificates. -Original Message- From: Benson Margulies [mailto:bimargul...@gmail.com] Sent: Wednesday, October 10, 2012 04:20 To: general@incubator.apache.org Subject: Re: key signing I could argue that we'd be better-served w

Re: key signing

2012-10-10 Thread Marvin Humphrey
On Wed, Oct 10, 2012 at 8:11 AM, Florian Holeczek wrote: > However, what would now be totally wrong IMO is, that some guys in the ASF > redefine these rules in order to make the process of release signing more > simple. In the WoT big picture, this would automatically mean that every key > that is

Re: key signing

2012-10-10 Thread Marvin Humphrey
port but a room full > of Apache folks - some of whom surely know Benson Margulies > well - to reassure me. Protocols for key signing parties can be quite elaborate to ensure that each participant provides multiple factors: http://cryp

Re: key signing

2012-10-10 Thread Florian Holeczek
re of every link in a chain of > trust from me to some other person? > > None of this, of course, changes my concern that the average Apache > user isn't connected, but if the argument is persuasive it should > unleash a positive avalanche of key signing. Of course, the WoT con

Re: key signing

2012-10-10 Thread Nick Kew
On 10 Oct 2012, at 12:20, Benson Margulies wrote: > Nick: On the one hand, how is trusting the Apache process better or > worse than trusting the State of Massachusetts? When I sign a key I'm basing it on more information than that. Either it's a one-off, when I have additional knowledge of som

Re: key signing

2012-10-10 Thread Stephen Connolly
s you to > understand > > them better. Some deep rooted human thing. But how does this impact > > security or trust, in the context of key signing? > > I have friends who live far away. I know them well. I don't know their > key fingerprint. > > If we send emails o

Re: key signing

2012-10-10 Thread Ted Dunning
is impact > security or trust, in the context of key signing? I have friends who live far away. I know them well. I don't know their key fingerprint. If we send emails or if we text back and forth I not clear that it is them. If I have a video conference and the hold up the fingerp

Re: key signing - trust path check

2012-10-10 Thread Shane Curcuru
Anyone interested in details of PGP signing and tracing trust paths at the ASF should say thank you to long-time member henkp who has done a ton of work documenting and verifying release signing and keys: https://people.apache.org/~henkp/trust/ - Shane On 10/8/2012 6:37 PM, Noah Slater wrot

Re: key signing

2012-10-10 Thread Shane Curcuru
Comments: - For many people, ensuring that the human who holds a specific key is the same one who has been using the j...@doe.foo email address and the john...@apache.org SVN/GIT account over a period of time is what is most important. Less important is ensuring that that human's legal name i

Re: key signing

2012-10-10 Thread Benson Margulies
On Wed, Oct 10, 2012 at 6:52 AM, Nick Kew wrote: > > On 10 Oct 2012, at 11:25, Benson Margulies wrote: > >> I then feel that it's perfectly reasonable to sign a key that has two >> things in it: the name Noah Slater and nsla...@apache.org, because if >> this process doesn't verify an adequate asso

Re: key signing

2012-10-10 Thread Nick Kew
On 10 Oct 2012, at 11:25, Benson Margulies wrote: > I then feel that it's perfectly reasonable to sign a key that has two > things in it: the name Noah Slater and nsla...@apache.org, because if > this process doesn't verify an adequate association, then no one can > trust the Apache IP process, e

Re: key signing

2012-10-10 Thread Benson Margulies
if the argument is persuasive it should unleash a positive avalanche of key signing. - To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org

Re: key signing

2012-10-10 Thread Noah Slater
Can you clarify? I understand that being able to speak to someone face to face, and seeing their mannerisms and expressions, allows you to understand them better. Some deep rooted human thing. But how does this impact security or trust, in the context of key signing? On Wed, Oct 10, 2012 at 4:00

Re: key signing

2012-10-09 Thread Ted Dunning
If you know the person, it adds something that you don't get. On Tue, Oct 9, 2012 at 3:40 PM, Noah Slater wrote: > What, precisely, does a video call actually provide? > > The point of meeting in person is to verify photo IDs. Just talking to > somebody with a face doesn't prove anybody. I am fa

Re: key signing

2012-10-09 Thread Noah Slater
What, precisely, does a video call actually provide? The point of meeting in person is to verify photo IDs. Just talking to somebody with a face doesn't prove anybody. I am fairly certain that YOU have a face, and I have never even seen it. If all you're doing is having a chit chat and swapping ke

Re: key signing

2012-10-09 Thread Marvin Humphrey
On Mon, Oct 8, 2012 at 2:24 PM, Noah Slater wrote: >> 1. The key owner convinces the signer that the identity in the UID is >> indeed their own identity by whatever evidence the signer is willing to >> accept as convincing. Usually this means the key owner must present a >> government issued ID wi

Re: key signing

2012-10-08 Thread Noah Slater
Found one... Just poking around manually... J. Daniel Kulp http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x858FC4C4F43856A3 Signed by Carsten Ziegeler http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x132E49D4E41EDC7E Signed by Marcus Crafter http://pgp.mit.edu:11371/pks/lookup?op

Re: key signing

2012-10-08 Thread Noah Slater
I don't know how to check that. Heh. Would be interested in giving it a shot. Are there tools to look up graphs? On Mon, Oct 8, 2012 at 11:23 PM, Benson Margulies wrote: > Let's try a little statistically-invalid experiment of sample size > one. The last time I had a key signed at Apache, it was

Re: key signing

2012-10-08 Thread Benson Margulies
Let's try a little statistically-invalid experiment of sample size one. The last time I had a key signed at Apache, it was by Dan Kulp. Now, pretend that you are a suspicious user of one of the many Maven plugins releases that I RM. Can you reach Dan from yourself in the web? Is there anyone you, p

Re: key signing

2012-10-08 Thread Benson Margulies
On Mon, Oct 8, 2012 at 6:15 PM, Noah Slater wrote: > Perhaps not Tomcat, but the entire Foundation and all of it's current and > future projects should be under consideration here. The long and short of > it is that key signing can't hurt. And a key signing guide certainl

Re: key signing

2012-10-08 Thread Noah Slater
Caveat: But I do think that if we do have a key signing guide (and I think we should) then it should be strict about our standards. (i.e. when and when not to sign somebody's key. Basic QA on what sort of "trust" we're trying to build here.) On Mon, Oct 8, 2012 at 11:15 PM

Re: key signing

2012-10-08 Thread Noah Slater
Perhaps not Tomcat, but the entire Foundation and all of it's current and future projects should be under consideration here. The long and short of it is that key signing can't hurt. And a key signing guide certainly can't hurt. RMs should feel free to do this, if they are intere

Re: key signing

2012-10-08 Thread Benson Margulies
On Mon, Oct 8, 2012 at 5:18 PM, Noah Slater wrote: > On Mon, Oct 8, 2012 at 4:53 PM, Benson Margulies wrote: > >> >> There's another side to this, which I would derisively label, 'so >> what'? How does it help a user to see that my key is signed by 27 of >> my fellow Apache contributors, if the us

Re: key signing

2012-10-08 Thread Noah Slater
is via Skype? If we don't take this seriously, how can we expect other people to take our keys seriously? (Debian also has a few tools to help automate this stuff. See above link.) If we're going to adopt a key signing model, we should strongly consider basing it on Debian's. On

Re: key signing

2012-10-08 Thread Noah Slater
On Mon, Oct 8, 2012 at 4:53 PM, Benson Margulies wrote: > > There's another side to this, which I would derisively label, 'so > what'? How does it help a user to see that my key is signed by 27 of > my fellow Apache contributors, if the user has never met any of us, > and has never met anyone who

Re: key signing

2012-10-08 Thread Ted Dunning
On Mon, Oct 8, 2012 at 7:46 PM, Marvin Humphrey wrote: > On Mon, Oct 8, 2012 at 8:51 AM, Branko Čibej wrote: > > > It says clearly, "as long as you can guarantee that you are > > communicating with the key's true owner." Which was exactly my point. > >

Re: key signing

2012-10-08 Thread Marvin Humphrey
On Mon, Oct 8, 2012 at 8:51 AM, Branko Čibej wrote: > It says clearly, "as long as you can guarantee that you are > communicating with the key's true owner." Which was exactly my point. I assert a "virtual key-signing party" protocol incorportating Google Plus

Re: key signing

2012-10-08 Thread Ted Dunning
On Mon, Oct 8, 2012 at 4:53 PM, Benson Margulies wrote: > On Mon, Oct 8, 2012 at 11:43 AM, Marvin Humphrey > wrote: > >> ... > >> In this respect e-mail is just as secure, so why don't we all just sign > >> keys because someone claiming to be from from Chad sent us a mail asking > >> us for a sig

Re: key signing

2012-10-08 Thread Benson Margulies
> - Dennis > > -Original Message- > From: Benson Margulies [mailto:bimargul...@gmail.com] > Sent: Monday, October 08, 2012 08:54 > To: general@incubator.apache.org > Subject: Re: key signing > > [ ... ] > > In my opinion, that's vanishingly unlike

RE: key signing

2012-10-08 Thread Dennis E. Hamilton
:54 To: general@incubator.apache.org Subject: Re: key signing [ ... ] In my opinion, that's vanishingly unlikely, and so the best we can do is to allow users to verify that the signature was, in fact, made by the 'Apache hat' that it claimed to be made by. Using the keys in KEYS,

Re: key signing

2012-10-08 Thread Benson Margulies
On Mon, Oct 8, 2012 at 11:43 AM, Marvin Humphrey wrote: > On Mon, Oct 8, 2012 at 7:36 AM, Branko Čibej wrote: >> What guarantee do you have that a particular Skype ID is whoever you >> think it is? None at all, unless the person involved looked at your >> Skype contact list and said, yeah, that's

Re: key signing

2012-10-08 Thread Branko Čibej
On 08.10.2012 17:43, Marvin Humphrey wrote: > On Mon, Oct 8, 2012 at 7:36 AM, Branko Čibej wrote: >> What guarantee do you have that a particular Skype ID is whoever you >> think it is? None at all, unless the person involved looked at your >> Skype contact list and said, yeah, that's me. Likewise

Re: key signing

2012-10-08 Thread Marvin Humphrey
On Mon, Oct 8, 2012 at 7:36 AM, Branko Čibej wrote: > What guarantee do you have that a particular Skype ID is whoever you > think it is? None at all, unless the person involved looked at your > Skype contact list and said, yeah, that's me. Likewise for Google > Hangout. As long as they're doing t

Re: key signing

2012-10-08 Thread Branko Čibej
On 08.10.2012 13:44, Franklin, Matthew B. wrote: >> -Original Message- >> From: Marvin Humphrey [mailto:mar...@rectangular.com] >> Sent: Friday, October 05, 2012 8:54 PM >> To: general@incubator.apache.org >> Subject: Re: key signing >> >> On

RE: key signing

2012-10-08 Thread Franklin, Matthew B.
>-Original Message- >From: Marvin Humphrey [mailto:mar...@rectangular.com] >Sent: Friday, October 05, 2012 8:54 PM >To: general@incubator.apache.org >Subject: Re: key signing > >On Fri, Oct 5, 2012 at 8:55 AM, Jukka Zitting wrote: >> It's good to recommend

RE: key signing - issues

2012-10-07 Thread Dennis E. Hamilton
als were delivered for it to the provider of the iCLA, and the exclusive control of the setting of the fingerprint in the account record. It appears that key-signing ceremonies add nothing to this. My public appearance might reveal that orcmid is an imposter or that the iCLA is fraudulen

Re: key signing - issues

2012-10-07 Thread Benson Margulies
Shane, After reading all the responses, I'm no longer very interested in pushing the idea of key signing. I am much more interested in explaining to users the existence and use of the LDAP keys. We can explain: "If something is signed with a key associated with an Apache committer via

Re: key signing - issues

2012-10-07 Thread Shane Curcuru
On 10/5/2012 8:04 AM, Benson Margulies wrote:... > As far as I can see, we don't do anything to facilitate or encourage > getting PGP keys signed. We tell people to create a key and put it in > the SVN 'keys' file. > > Key signing strikes me as a bit of a conundrum f

Re: key signing

2012-10-05 Thread Marvin Humphrey
On Fri, Oct 5, 2012 at 8:55 AM, Jukka Zitting wrote: > It's good to recommend people to get their keys signed by someone in > the Apache web of trust and I think we could do more in that area, Maybe if we didn't insist on face-to-face meetings we'd get better adoption rates. Apache dev docs:

Re: key signing

2012-10-05 Thread Benson Margulies
Craig, I appreciate the general scheme of signing. It seems as if we have two approaches to key trust. One is the in-person web of trust, and the other is the CLA -> account -> key-in-ldap/svn. Given the Foundations' emphasis on geographic diversity, the later seems to me to be more appropriate.

Re: key signing

2012-10-05 Thread Craig L Russell
Hi Benson, On Oct 5, 2012, at 2:12 PM, Benson Margulies wrote: On Fri, Oct 5, 2012 at 4:42 PM, Juan Pablo Santos Rodríguez wrote: Hi, picking up Benson's initial question, just my 2c: how about encouraging a key signing party (or something alike, but more informal and/or with

Re: key signing

2012-10-05 Thread Daniel Shahaf
Benson Margulies wrote on Fri, Oct 05, 2012 at 17:12:27 -0400: > Oh Secretary, why not create a 'role' PGP key and use it? Because it's harder to implement than to state, and no one has identified a need for it. - To unsubscribe,

Re: key signing

2012-10-05 Thread Benson Margulies
On Fri, Oct 5, 2012 at 4:42 PM, Juan Pablo Santos Rodríguez wrote: > Hi, > > picking up Benson's initial question, just my 2c: how about encouraging a > key signing party (or something alike, but more informal and/or with fewer > people) through general@i.a.o for every Apac

Re: key signing

2012-10-05 Thread Juan Pablo Santos Rodríguez
Hi, picking up Benson's initial question, just my 2c: how about encouraging a key signing party (or something alike, but more informal and/or with fewer people) through general@i.a.o for every Apachecon, say 2-3 weeks before it starts? If there's something ongoing is easier to hop in th

Re: key signing

2012-10-05 Thread Daniel Shahaf
Craig L Russell wrote on Fri, Oct 05, 2012 at 08:59:26 -0700: > Hi Florian, > > On Oct 5, 2012, at 8:44 AM, Florian Holeczek wrote: > >> if I understood the Apache pseudonym rules right, the only one who >> would be able to sign such a key was secretary@, since it's the only >> one who knows th

Re: key signing

2012-10-05 Thread Craig L Russell
Hi Florian, On Oct 5, 2012, at 8:44 AM, Florian Holeczek wrote: if I understood the Apache pseudonym rules right, the only one who would be able to sign such a key was secretary@, since it's the only one who knows the pseudonym's real identity. The ICLA documents are available to all Apach

Re: key signing

2012-10-05 Thread Jukka Zitting
HI, On Fri, Oct 5, 2012 at 3:15 PM, Daniel Shahaf wrote: > Downloading keys from https://www.apache.org/dist/ or > https://people.apache.org/keys/ is good enough enough for users who > trust root@ and Thawte. +1 It's good to recommend people to get their keys signed by someone in the Apache web

Re: key signing

2012-10-05 Thread Florian Holeczek
Daniel Shahaf wrote on 05.10.2012 at 15:15: > Benson Margulies wrote on Fri, Oct 05, 2012 at 08:04:04 -0400: >> Alternatively, since the chain is CLA -> svn access -> unsigned key in >> svn, perhaps all we really need is to document that a signature >> corresponding to a key in svn is really good e

Re: key signing

2012-10-05 Thread Daniel Shahaf
Benson Margulies wrote on Fri, Oct 05, 2012 at 08:04:04 -0400: > Alternatively, since the chain is CLA -> svn access -> unsigned key in > svn, perhaps all we really need is to document that a signature > corresponding to a key in svn is really good enough, and users need > not be concerned further.

Re: Key signing for shindig packages.

2009-10-05 Thread Upayavira
On Sat, 2009-10-03 at 16:43 +0800, Niclas Hedhman wrote: > On Sat, Oct 3, 2009 at 3:34 AM, Paul Lindner wrote: > > Hi, > > Over in the shindig podling we've been working on our 1.1 release. During > > the voting process it was mentioned that my gpg key is not part of the > > apache web of trust. >

Re: Key signing for shindig packages.

2009-10-03 Thread Niclas Hedhman
On Sat, Oct 3, 2009 at 3:34 AM, Paul Lindner wrote: > Hi, > Over in the shindig podling we've been working on our 1.1 release. During > the voting process it was mentioned that my gpg key is not part of the > apache web of trust. > > * We have the +1s for shindig-1.1-BETA3, does this signature pro

Key signing for shindig packages.

2009-10-03 Thread Paul Lindner
Hi, Over in the shindig podling we've been working on our 1.1 release. During the voting process it was mentioned that my gpg key is not part of the apache web of trust. * We have the +1s for shindig-1.1-BETA3, does this signature problem disqualify the release? * I'd appreciate any/all help getti

  1   2   >