ASF code signing certificate

[Greg Brown <gk...@mac.com>]

Hello mentors,

Back when Pivot first entered the Incubator, I had asked about the availability of an official Apache code signing certificate. Some of our demo and tutorial JARs are signed, but they currently use an unofficial (and expired) certificate Todd had created locally for testing purposes. This doesn't inspire quite as much confidence in the authenticity of the code as we would like.  :-)  

The response at the time was that no such certificate currently exists. Once we graduate, do you know if it might be possible to request one? I believe these cost around $500 (US) - is the ASF likely to cover something like this, or do you think we would need to fund it ourselves? 

FWIW, I actually tried to get both Verisign and Thawte to contribute a certificate a few months back, and I didn't get a reply from either one...maybe I will try again after we graduate. Anyone have any contacts at either place?

Thanks,
Greg

Re: ASF code signing certificate

[Greg Brown <gk...@mac.com>]

OK. Once the graduation is formally approved, I'll send a message to infra describing what we are looking for and see if they can help. I'd like to get a valid certificate in place before we launch, if at all possible.

Thanks,
Greg

On Dec 7, 2009, at 9:01 AM, Martijn Dashorst wrote:

> AFAIK infra has enough karma to purchase small hardware, domains and
> certificates. If they don't have enough they can escalate it to the
> board to make sure it happens.
> 
> Martijn
> 
> On Mon, Dec 7, 2009 at 2:56 PM, Greg Brown <gk...@mac.com> wrote:
>> The problem with waiting until after we graduate is that we'll launch with an invalid cert signed by Todd, rather than a valid cert signed by the ASF. This won't leave a good first impression on anyone seeing Pivot for the first time.
>> 
>> You are probably right that general@incubator is probably not the right place for this discussion, but I think it is at least worth posting the question to the infra list. I'm guessing that most of the previous discussion around PKI focused on SSL, etc. - maybe it won't be as difficult to push a code signing cert. through.
>> 
>> How are purchase decisions generally handled? Would someone on the infra list be able to approve something like this, or is there another list I should also post to?
>> 
>> Thanks,
>> Greg
>> 
>> On Dec 6, 2009, at 11:45 PM, Niclas Hedhman wrote:
>> 
>>> On Sun, Dec 6, 2009 at 9:33 PM, Greg Brown <gk...@mac.com> wrote:
>>>> Hello mentors,
>>>> 
>>>> Back when Pivot first entered the Incubator, I had asked about the availability of an official Apache code signing certificate. Some of our demo and tutorial JARs are signed, but they currently use an unofficial (and expired) certificate Todd had created locally for testing purposes. This doesn't inspire quite as much confidence in the authenticity of the code as we would like.  :-)
>>>> 
>>>> The response at the time was that no such certificate currently exists. Once we graduate, do you know if it might be possible to request one? I believe these cost around $500 (US) - is the ASF likely to cover something like this, or do you think we would need to fund it ourselves?
>>>> 
>>>> FWIW, I actually tried to get both Verisign and Thawte to contribute a certificate a few months back, and I didn't get a reply from either one...maybe I will try again after we graduate. Anyone have any contacts at either place?
>>> 
>>> PKI is not something to toss around lightly (I am sure you are aware
>>> of that), and the security conscious individuals at ASF have for long
>>> ponder over how a PKI at ASF could/should look like. One thing that
>>> was excluded was an ASF-wide cert available to "many". It has been
>>> discussed to setup a system where infra "owned" a master cert, from
>>> which they signed certs of "verified individual committers/officers".
>>> The problem is/was that this has not been high on the agenda, since
>>> for "releases" the PGP approach of "web of trust" has been considered
>>> both sufficient and superior of centralized PKIs.
>>> 
>>> My advice is to wait until after graduation and then approach
>>> infra/board to bring up the usecase/need to see if this can be managed
>>> to a level of satisfaction "within our lifetime" ;-)  Bringing this to
>>> general@incubator.a.o now will just be "messy" and lead to no
>>> resolution.
>>> 
>>> 
>>> Cheers
>>> --
>>> Niclas Hedhman, Software Developer
>>> http://www.qi4j.org - New Energy for Java
>>> 
>>> I  live here; http://tinyurl.com/2qq9er
>>> I  work here; http://tinyurl.com/2ymelc
>>> I relax here; http://tinyurl.com/2cgsug
>> 
>> 
> 
> 
> 
> -- 
> Become a Wicket expert, learn from the best: http://wicketinaction.com
> Apache Wicket 1.4 increases type safety for web applications
> Get it now: http://www.apache.org/dyn/closer.cgi/wicket/1.4.0

Re: ASF code signing certificate

[Martijn Dashorst <ma...@gmail.com>]

AFAIK infra has enough karma to purchase small hardware, domains and
certificates. If they don't have enough they can escalate it to the
board to make sure it happens.

Martijn

On Mon, Dec 7, 2009 at 2:56 PM, Greg Brown <gk...@mac.com> wrote:
> The problem with waiting until after we graduate is that we'll launch with an invalid cert signed by Todd, rather than a valid cert signed by the ASF. This won't leave a good first impression on anyone seeing Pivot for the first time.
>
> You are probably right that general@incubator is probably not the right place for this discussion, but I think it is at least worth posting the question to the infra list. I'm guessing that most of the previous discussion around PKI focused on SSL, etc. - maybe it won't be as difficult to push a code signing cert. through.
>
> How are purchase decisions generally handled? Would someone on the infra list be able to approve something like this, or is there another list I should also post to?
>
> Thanks,
> Greg
>
> On Dec 6, 2009, at 11:45 PM, Niclas Hedhman wrote:
>
>> On Sun, Dec 6, 2009 at 9:33 PM, Greg Brown <gk...@mac.com> wrote:
>>> Hello mentors,
>>>
>>> Back when Pivot first entered the Incubator, I had asked about the availability of an official Apache code signing certificate. Some of our demo and tutorial JARs are signed, but they currently use an unofficial (and expired) certificate Todd had created locally for testing purposes. This doesn't inspire quite as much confidence in the authenticity of the code as we would like.  :-)
>>>
>>> The response at the time was that no such certificate currently exists. Once we graduate, do you know if it might be possible to request one? I believe these cost around $500 (US) - is the ASF likely to cover something like this, or do you think we would need to fund it ourselves?
>>>
>>> FWIW, I actually tried to get both Verisign and Thawte to contribute a certificate a few months back, and I didn't get a reply from either one...maybe I will try again after we graduate. Anyone have any contacts at either place?
>>
>> PKI is not something to toss around lightly (I am sure you are aware
>> of that), and the security conscious individuals at ASF have for long
>> ponder over how a PKI at ASF could/should look like. One thing that
>> was excluded was an ASF-wide cert available to "many". It has been
>> discussed to setup a system where infra "owned" a master cert, from
>> which they signed certs of "verified individual committers/officers".
>> The problem is/was that this has not been high on the agenda, since
>> for "releases" the PGP approach of "web of trust" has been considered
>> both sufficient and superior of centralized PKIs.
>>
>> My advice is to wait until after graduation and then approach
>> infra/board to bring up the usecase/need to see if this can be managed
>> to a level of satisfaction "within our lifetime" ;-)  Bringing this to
>> general@incubator.a.o now will just be "messy" and lead to no
>> resolution.
>>
>>
>> Cheers
>> --
>> Niclas Hedhman, Software Developer
>> http://www.qi4j.org - New Energy for Java
>>
>> I  live here; http://tinyurl.com/2qq9er
>> I  work here; http://tinyurl.com/2ymelc
>> I relax here; http://tinyurl.com/2cgsug
>
>



-- 
Become a Wicket expert, learn from the best: http://wicketinaction.com
Apache Wicket 1.4 increases type safety for web applications
Get it now: http://www.apache.org/dyn/closer.cgi/wicket/1.4.0

Re: ASF code signing certificate

[Greg Brown <gk...@mac.com>]

The problem with waiting until after we graduate is that we'll launch with an invalid cert signed by Todd, rather than a valid cert signed by the ASF. This won't leave a good first impression on anyone seeing Pivot for the first time.

You are probably right that general@incubator is probably not the right place for this discussion, but I think it is at least worth posting the question to the infra list. I'm guessing that most of the previous discussion around PKI focused on SSL, etc. - maybe it won't be as difficult to push a code signing cert. through.

How are purchase decisions generally handled? Would someone on the infra list be able to approve something like this, or is there another list I should also post to?

Thanks,
Greg

On Dec 6, 2009, at 11:45 PM, Niclas Hedhman wrote:

> On Sun, Dec 6, 2009 at 9:33 PM, Greg Brown <gk...@mac.com> wrote:
>> Hello mentors,
>> 
>> Back when Pivot first entered the Incubator, I had asked about the availability of an official Apache code signing certificate. Some of our demo and tutorial JARs are signed, but they currently use an unofficial (and expired) certificate Todd had created locally for testing purposes. This doesn't inspire quite as much confidence in the authenticity of the code as we would like.  :-)
>> 
>> The response at the time was that no such certificate currently exists. Once we graduate, do you know if it might be possible to request one? I believe these cost around $500 (US) - is the ASF likely to cover something like this, or do you think we would need to fund it ourselves?
>> 
>> FWIW, I actually tried to get both Verisign and Thawte to contribute a certificate a few months back, and I didn't get a reply from either one...maybe I will try again after we graduate. Anyone have any contacts at either place?
> 
> PKI is not something to toss around lightly (I am sure you are aware
> of that), and the security conscious individuals at ASF have for long
> ponder over how a PKI at ASF could/should look like. One thing that
> was excluded was an ASF-wide cert available to "many". It has been
> discussed to setup a system where infra "owned" a master cert, from
> which they signed certs of "verified individual committers/officers".
> The problem is/was that this has not been high on the agenda, since
> for "releases" the PGP approach of "web of trust" has been considered
> both sufficient and superior of centralized PKIs.
> 
> My advice is to wait until after graduation and then approach
> infra/board to bring up the usecase/need to see if this can be managed
> to a level of satisfaction "within our lifetime" ;-)  Bringing this to
> general@incubator.a.o now will just be "messy" and lead to no
> resolution.
> 
> 
> Cheers
> -- 
> Niclas Hedhman, Software Developer
> http://www.qi4j.org - New Energy for Java
> 
> I  live here; http://tinyurl.com/2qq9er
> I  work here; http://tinyurl.com/2ymelc
> I relax here; http://tinyurl.com/2cgsug

Re: ASF code signing certificate

[Niclas Hedhman <ni...@hedhman.org>]

On Sun, Dec 6, 2009 at 9:33 PM, Greg Brown <gk...@mac.com> wrote:
> Hello mentors,
>
> Back when Pivot first entered the Incubator, I had asked about the availability of an official Apache code signing certificate. Some of our demo and tutorial JARs are signed, but they currently use an unofficial (and expired) certificate Todd had created locally for testing purposes. This doesn't inspire quite as much confidence in the authenticity of the code as we would like.  :-)
>
> The response at the time was that no such certificate currently exists. Once we graduate, do you know if it might be possible to request one? I believe these cost around $500 (US) - is the ASF likely to cover something like this, or do you think we would need to fund it ourselves?
>
> FWIW, I actually tried to get both Verisign and Thawte to contribute a certificate a few months back, and I didn't get a reply from either one...maybe I will try again after we graduate. Anyone have any contacts at either place?

PKI is not something to toss around lightly (I am sure you are aware
of that), and the security conscious individuals at ASF have for long
ponder over how a PKI at ASF could/should look like. One thing that
was excluded was an ASF-wide cert available to "many". It has been
discussed to setup a system where infra "owned" a master cert, from
which they signed certs of "verified individual committers/officers".
The problem is/was that this has not been high on the agenda, since
for "releases" the PGP approach of "web of trust" has been considered
both sufficient and superior of centralized PKIs.

My advice is to wait until after graduation and then approach
infra/board to bring up the usecase/need to see if this can be managed
to a level of satisfaction "within our lifetime" ;-)  Bringing this to
general@incubator.a.o now will just be "messy" and lead to no
resolution.


Cheers
-- 
Niclas Hedhman, Software Developer
http://www.qi4j.org - New Energy for Java

I  live here; http://tinyurl.com/2qq9er
I  work here; http://tinyurl.com/2ymelc
I relax here; http://tinyurl.com/2cgsug

Re: ASF code signing certificate

[Michael Bushe <mi...@bushe.com>]

+1 on the cert's prudence.

Michael Bushe
Software Architect/Developer
michael@bushe.com
www.bushe.com


On Sun, Dec 6, 2009 at 9:41 AM, Martijn Dashorst <martijn.dashorst@gmail.com
> wrote:

> If such a certificate would be prudent, I don't think anyone will
> object to shelling out 500 bucks. Though not something I'd personally
> want to pay, but for an organization with our sponsors it is not that
> much, and money well spent.
>
> I suggest sending this message to general@incubator and infra@ and see
> where that takes us.
>
> Martijn
>
> On Sun, Dec 6, 2009 at 2:33 PM, Greg Brown <gk...@mac.com> wrote:
> > Hello mentors,
> >
> > Back when Pivot first entered the Incubator, I had asked about the
> availability of an official Apache code signing certificate. Some of our
> demo and tutorial JARs are signed, but they currently use an unofficial (and
> expired) certificate Todd had created locally for testing purposes. This
> doesn't inspire quite as much confidence in the authenticity of the code as
> we would like.  :-)
> >
> > The response at the time was that no such certificate currently exists.
> Once we graduate, do you know if it might be possible to request one? I
> believe these cost around $500 (US) - is the ASF likely to cover something
> like this, or do you think we would need to fund it ourselves?
> >
> > FWIW, I actually tried to get both Verisign and Thawte to contribute a
> certificate a few months back, and I didn't get a reply from either
> one...maybe I will try again after we graduate. Anyone have any contacts at
> either place?
> >
> > Thanks,
> > Greg
> >
> >
>
>
>
> --
> Become a Wicket expert, learn from the best: http://wicketinaction.com
> Apache Wicket 1.4 increases type safety for web applications
> Get it now: http://www.apache.org/dyn/closer.cgi/wicket/1.4.0
>

Re: ASF code signing certificate

[Martijn Dashorst <ma...@gmail.com>]

If such a certificate would be prudent, I don't think anyone will
object to shelling out 500 bucks. Though not something I'd personally
want to pay, but for an organization with our sponsors it is not that
much, and money well spent.

I suggest sending this message to general@incubator and infra@ and see
where that takes us.

Martijn

On Sun, Dec 6, 2009 at 2:33 PM, Greg Brown <gk...@mac.com> wrote:
> Hello mentors,
>
> Back when Pivot first entered the Incubator, I had asked about the availability of an official Apache code signing certificate. Some of our demo and tutorial JARs are signed, but they currently use an unofficial (and expired) certificate Todd had created locally for testing purposes. This doesn't inspire quite as much confidence in the authenticity of the code as we would like.  :-)
>
> The response at the time was that no such certificate currently exists. Once we graduate, do you know if it might be possible to request one? I believe these cost around $500 (US) - is the ASF likely to cover something like this, or do you think we would need to fund it ourselves?
>
> FWIW, I actually tried to get both Verisign and Thawte to contribute a certificate a few months back, and I didn't get a reply from either one...maybe I will try again after we graduate. Anyone have any contacts at either place?
>
> Thanks,
> Greg
>
>



-- 
Become a Wicket expert, learn from the best: http://wicketinaction.com
Apache Wicket 1.4 increases type safety for web applications
Get it now: http://www.apache.org/dyn/closer.cgi/wicket/1.4.0