You are viewing a plain text version of this content. The canonical link for it is here.
Posted to general@jakarta.apache.org by Jon Stevens <jo...@latchkey.com> on 2001/03/30 01:56:47 UTC
PGP Key for Jakarta Project
Hey all,
The goal is to be able to sign our downloads with a PGP key for the Jakarta
Project. This will enable people to verify that the downloads have not been
tampered with.
Thus, I have created a PGP Key for the Jakarta Project and uploaded it to
the ldap://keyserver.pgp.com server. The email address for the key is
general@jakarta.apache.org. I have already signed the key with my own key.
Right now, I also own the password to the key. I'm not really sure what to
do with it though (any PGP experts out there?). :-)
Next week at ApacheCon, I will bring my laptop and get people to also sign
this key with their key in order to build up a valid trust network. So, what
I'm asking for is others to also bring their PGP keys.
thanks,
-jon stevens
--
If you come from a Perl or PHP background, JSP is a way to take
your pain to new levels. --Anonymous
<http://jakarta.apache.org/velocity/ymtd/ymtd.html>
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@jakarta.apache.org
For additional commands, e-mail: general-help@jakarta.apache.org
Re: PGP Key for Jakarta Project
Posted by Jon Stevens <jo...@latchkey.com>.
on 3/29/01 5:27 PM, "Kevin A. Burton" <bu...@relativity.yi.org> wrote:
> I generally think it is better for individuals to do their own signing instead
> of acting like a group, it sounds good at first but there are a number of
> problems that can arise.
Hey Kevin,
Thanks for your input on this and I totally hear what you are saying (and
agree with you).
I have some further questions then:
So how do you solve the problem of trust for those individual keys? I know
that the people can get their keys signed by others and we could require a
minimum of N number of people also signing their key or something...
What if the individual key gets compromised?
Do you have another suggestion for the ultimate solution (that is actually
feasible)? In other words, I personally feel it should be possible to create
a "Master" key that has the following attributes:
Can only be signed if both the "Master" password and the person signing
the key is entered (making it so that the only "in person" signing can
occur). This doesn't solve the problem of who owns the "Master" password
though.
Anyone whose key is on the "Master" can sign something by using only
their password.
Keys can be easily revoked from the "Master". Again the problem of who
owns the master password.
-jon
--
If you come from a Perl or PHP background, JSP is a way to take
your pain to new levels. --Anonymous
<http://jakarta.apache.org/velocity/ymtd/ymtd.html>
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@jakarta.apache.org
For additional commands, e-mail: general-help@jakarta.apache.org
Re: PGP Key for Jakarta Project
Posted by "Kevin A. Burton" <bu...@relativity.yi.org>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jon Stevens <jo...@latchkey.com> writes:
> Hey all,
>
> The goal is to be able to sign our downloads with a PGP key for the Jakarta
> Project. This will enable people to verify that the downloads have not been
> tampered with.
>
> Thus, I have created a PGP Key for the Jakarta Project and uploaded it to
> the ldap://keyserver.pgp.com server. The email address for the key is
> general@jakarta.apache.org. I have already signed the key with my own key.
> Right now, I also own the password to the key. I'm not really sure what to
> do with it though (any PGP experts out there?). :-)
Generally it is a bad idea to do this. I think it is just better to have
everyone that publishes Apache downloads sign them with their own key (ANNOUNCE
messages should also be signed).
If the key ever gets compromised you have a problem with recovery, you would
have to tell the keyserver that this is invalid and then create a new key. BTW
I believe if someone has the passphrase they can do this anyway...
> Next week at ApacheCon, I will bring my laptop and get people to also sign
> this key with their key in order to build up a valid trust network. So, what
> I'm asking for is others to also bring their PGP keys.
... if you uploaded this to a keyserver it should work right now. You can sign
the jakarta key right off the key server.
I generally think it is better for individuals to do their own signing instead
of acting like a group, it sounds good at first but there are a number of
problems that can arise.
- - everytime someone leaves the group you have to create a new key
- - you have to give the passphrase out (which involves an encrypted message
anyway so your target already has to have PGP)
- - individuals might be more hesitant to lay the reputation of "Jakarta" on the
line for something they publish. Instead it is better if the reputation hit
happens to the person that actually uploaded the content.
... anyway.
Kevin
- --
Kevin A. Burton ( burton@apache.org, burton@openprivacy.org, burtonator@acm.org )
Cell: 408-910-6145 URL: http://relativity.yi.org ICQ: 73488596
Linux is both Open Source and Free Software, Java is neither!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: Get my public key at: http://relativity.yi.org/pgpkey.txt
iD8DBQE6w+EGAwM6xb2dfE0RAvFcAJ0djYYYALf76suTMGJmKwrOT1ckJQCfWudv
o0osT9bZvvtTNoEE3oW7hIw=
=fF2Z
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@jakarta.apache.org
For additional commands, e-mail: general-help@jakarta.apache.org