You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by je...@apache.org on 2003/02/17 20:38:57 UTC
cvs commit: httpd-dist KEYS
jerenkrantz 2003/02/17 11:38:57
Modified: . KEYS
Log:
Oh, wordsmith away. We don't bite, but let's not tell anyone that.
Revision Changes Path
1.34 +24 -2 httpd-dist/KEYS
Index: KEYS
===================================================================
RCS file: /home/cvs/httpd-dist/KEYS,v
retrieving revision 1.33
retrieving revision 1.34
diff -u -u -r1.33 -r1.34
--- KEYS 6 Jan 2003 03:09:06 -0000 1.33
+++ KEYS 17 Feb 2003 19:38:57 -0000 1.34
@@ -1,6 +1,28 @@
-This file contains the PGP keys of various Apache developers.
-Please don't use them for email unless you have asked the owner,
+This file contains the PGP keys of various developers that work on
+the Apache HTTP Server and its subprojects.
+
+Please don't use these keys for email unless you have asked the owner
because some keys are only used for code signing.
+
+Please realize that this file itself or the public key servers may be
+compromised. You are encouraged to validate the authenticity of these keys in
+an out-of-band manner. A good start would be face-to-face communication with
+multiple photo identification confirmations. Each contributor has their
+location information available at http://httpd.apache.org/contributors/.
+
+Since the developers are usually quite busy, you may not immediately find
+success in someone who is willing to meet face-to-face (they may not even
+respond to your emails because they are so busy!). If you do not have a
+developer nearby or have trouble locating a suitable person, please send an
+email to the release manager of the release you are attempting to verify. They
+may be able to find someone who will be willing to verify their key in a less
+secure manner (over the phone perhaps).
+
+Most of the people in this file have attempted to sign each others' keys
+(usually with face-to-face validation). Therefore, in order to enter the web
+of trust, you should only need to validate one person in this file. For more
+information on determining what level of trust works best for you, please see
+http://www.gnupg.org/gph/en/manual.html#AEN335.
Apache users: pgp < KEYS
Apache developers:
Re: cvs commit: httpd-dist KEYS
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
Ahhh... verification between project RMs of one another's tarballs?
Then don't plug this into KEYS and raise awareness (our workload)
to insurmountable levels. Let's start a wiki^H^H^H^Hdoc page all about
release signatures and PGP. Explain in a nutshell what is signed, why
it is signed and how trusting joe who trusts sam lets you validate that
sam's signed package is authentic. KEYS doesn't need to get so dirty,
a simple href will do to the authoritative doc out on www.apache.org/.
And let the reader connect the dots... unless you find several people
under the President's infrastructure committee who will handle the
keys@apache.org mail and do the leg work/flying/faxing/phoning.
But clean this out of our local KEYS file and do all the magic by
reference, so that even stale KEYS checkouts point to the now-
authoritative document (that would also include revoked keys to
avoid, et. al. :-)
Bill
At 12:30 PM 2/18/2003, Justin Erenkrantz wrote:
>--On Tuesday, February 18, 2003 12:06 PM -0600 "William A. Rowe, Jr." <wr...@rowe-clan.net> wrote:
>
>>I agree that was overkill. However, why put anything on the
>>contributors web page? I believe that information exists right
>>there, in the KEYS file, as to who signed a given release, with our
>>email address (we only use still-valid email accounts when signing,
>>right?)
>
>Because you may be able to contact someone face-to-face who is already in our web of trust rather than the person who signed the release. It doesn't matter if you don't trust the RM directly - as long as you trust someone who trusts the RM.
>
>In short, you don't need to contact the RM directly. You can, but it may not be practical to do face-to-face verification with that person (so, you might resort to telephone verification). But, we have a wide enough geographic dispersal where you may be able to find someone in your area who is willing to do a face-to-face meeting. (In fact, this would *lessen* the load of the RM rather than increase it!)
>
>The reason why I'm concerned about this generally is that mod_python and flood are going to be issuing signed releases soon. Granted their popularity isn't as high as httpd, but they are looking for policy here. It's our obligation to set good verification policy. -- justin
Re: cvs commit: httpd-dist KEYS
Posted by Justin Erenkrantz <ju...@erenkrantz.com>.
--On Tuesday, February 18, 2003 12:06 PM -0600 "William A. Rowe, Jr."
<wr...@rowe-clan.net> wrote:
> I agree that was overkill. However, why put anything on the
> contributors web page? I believe that information exists right
> there, in the KEYS file, as to who signed a given release, with our
> email address (we only use still-valid email accounts when signing,
> right?)
Because you may be able to contact someone face-to-face who is
already in our web of trust rather than the person who signed the
release. It doesn't matter if you don't trust the RM directly - as
long as you trust someone who trusts the RM.
In short, you don't need to contact the RM directly. You can, but it
may not be practical to do face-to-face verification with that person
(so, you might resort to telephone verification). But, we have a
wide enough geographic dispersal where you may be able to find
someone in your area who is willing to do a face-to-face meeting.
(In fact, this would *lessen* the load of the RM rather than increase
it!)
The reason why I'm concerned about this generally is that mod_python
and flood are going to be issuing signed releases soon. Granted
their popularity isn't as high as httpd, but they are looking for
policy here. It's our obligation to set good verification policy.
-- justin
Re: cvs commit: httpd-dist KEYS
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
At 11:36 AM 2/18/2003, Justin Erenkrantz wrote:
>--On Tuesday, February 18, 2003 1:25 AM -0600 "William A. Rowe, Jr." <wr...@rowe-clan.net> wrote:
>
>>It's a little absurd to try to have folks chasing us down for sigs
>>at home. Don't we all get enough oddball private inquiries?
>
>The original suggestion was to put a phone number on the contributors web page where we could be reached. I feel direct email is a more appropriate forum. Sending an email to the developers list (dev@httpd) isn't appropriate because the KEYS file serves for the entire project (which consists of many subprojects that can release on their own - flood, mod_python, etc.).
I agree that was overkill. However, why put anything on the contributors
web page? I believe that information exists right there, in the KEYS file,
as to who signed a given release, with our email address (we only use
still-valid email accounts when signing, right?)
>We could create keys@httpd and people willing to verify keys could subscribe there. (I'd almost suggest using security@httpd.)
The incidence on httpd isn't high enough. Maybe in Jakartaland this
is a bigger issue. I've responded to the 10 or so requests I've ever received.
>>A much more rational approach would be a resource of 'HTTPD
>>developer meets', a web page where we could *announce* our presence
>>and the opportunity for the users to come to us? (A.C.,
>>LinuxWorld, et al?)
>
>Expecting our users to be at conferences is a bit much. It's hard enough to get httpd developers to attend ApacheCon never mind other conferences.
Hey - we did say nothing beats face-to-face with government issued
photo ID (preferably two forms), right? The bigger point in such a paragraph
is that the user need not be there, they need to encourage high-visibility
individuals who attend such conferences, "hey, would you countersign keys
with someone within the ASF so I can trust their signatures?"
It's a web of trust.
>*ahem* I have RMed, thank-ya-very-much.
I'm sorry, yes - that's right. Now how many inquiries did you receive
(remembering they had your email addy within your KEYS entry that
you signed that release with)?
Mountains out of molehills?
>I only said to contact the RM after failing to contact a person in your area. I think it's reasonable, but perhaps a specific verification mailing list would ease your troubled mind?
I think the current method, "Hmmm... I don't trust this signature, I better
email that individual and inquire how to validate their key" (provided they
get a response) seems to work just fine today.
Bill
Re: cvs commit: httpd-dist KEYS
Posted by Justin Erenkrantz <ju...@erenkrantz.com>.
--On Tuesday, February 18, 2003 1:25 AM -0600 "William A. Rowe, Jr."
<wr...@rowe-clan.net> wrote:
> Justin, could you *please* find a better way to say what you were
> (rightly) trying to convey about the keys file, below?
I welcome constructive comments, but we should indicate how we want
people to verify our KEYS. We need a statement to this effect.
> It's a little absurd to try to have folks chasing us down for sigs
> at home. Don't we all get enough oddball private inquiries?
The original suggestion was to put a phone number on the contributors
web page where we could be reached. I feel direct email is a more
appropriate forum. Sending an email to the developers list
(dev@httpd) isn't appropriate because the KEYS file serves for the
entire project (which consists of many subprojects that can release
on their own - flood, mod_python, etc.).
We could create keys@httpd and people willing to verify keys could
subscribe there. (I'd almost suggest using security@httpd.)
> A much more rational approach would be a resource of 'HTTPD
> developer meets', a web page where we could *announce* our presence
> and the opportunity for the users to come to us? (A.C.,
> LinuxWorld, et al?)
Expecting our users to be at conferences is a bit much. It's hard
enough to get httpd developers to attend ApacheCon never mind other
conferences.
> As an RM to one who hasn't RM'ed, you are a bit out of line putting
> this on each and every RM. I do get very infrequent requests to
> verify my key, and have the means to do so. It doesn't belong in
> the KEYS file to put ideas in their heads, however, or I will have
> to quit doing so even for the ultra paranoid, educated users who
> deserve the courtesy ;-)
*ahem* I have RMed, thank-ya-very-much.
I only said to contact the RM after failing to contact a person in
your area. I think it's reasonable, but perhaps a specific
verification mailing list would ease your troubled mind? -- justin
Re: cvs commit: httpd-dist KEYS
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
Justin, could you *please* find a better way to say what you were (rightly)
trying to convey about the keys file, below?
It's a little absurd to try to have folks chasing us down for sigs at home.
Don't we all get enough oddball private inquiries?
A much more rational approach would be a resource of 'HTTPD developer
meets', a web page where we could *announce* our presence and the
opportunity for the users to come to us? (A.C., LinuxWorld, et al?)
As an RM to one who hasn't RM'ed, you are a bit out of line putting this
on each and every RM. I do get very infrequent requests to verify my key,
and have the means to do so. It doesn't belong in the KEYS file to put
ideas in their heads, however, or I will have to quit doing so even for the
ultra paranoid, educated users who deserve the courtesy ;-)
Bill
At 01:38 PM 2/17/2003, jerenkrantz@apache.org wrote
>jerenkrantz 2003/02/17 11:38:57
>
> Modified: . KEYS
> Log:
> Oh, wordsmith away. We don't bite, but let's not tell anyone that.
>
> Revision Changes Path
> 1.34 +24 -2 httpd-dist/KEYS
>
> Index: KEYS
> +Please realize that this file itself or the public key servers may be
> +compromised. You are encouraged to validate the authenticity of these keys in
> +an out-of-band manner. A good start would be face-to-face communication with
> +multiple photo identification confirmations. Each contributor has their
> +location information available at http://httpd.apache.org/contributors/.
> +
> +Since the developers are usually quite busy, you may not immediately find
> +success in someone who is willing to meet face-to-face (they may not even
> +respond to your emails because they are so busy!). If you do not have a
> +developer nearby or have trouble locating a suitable person, please send an
> +email to the release manager of the release you are attempting to verify. They
> +may be able to find someone who will be willing to verify their key in a less
> +secure manner (over the phone perhaps).
Re: cvs commit: httpd-dist KEYS
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
Justin, could you *please* find a better way to say what you were (rightly)
trying to convey about the keys file, below?
It's a little absurd to try to have folks chasing us down for sigs at home.
Don't we all get enough oddball private inquiries?
A much more rational approach would be a resource of 'HTTPD developer
meets', a web page where we could *announce* our presence and the
opportunity for the users to come to us? (A.C., LinuxWorld, et al?)
As an RM to one who hasn't RM'ed, you are a bit out of line putting this
on each and every RM. I do get very infrequent requests to verify my key,
and have the means to do so. It doesn't belong in the KEYS file to put
ideas in their heads, however, or I will have to quit doing so even for the
ultra paranoid, educated users who deserve the courtesy ;-)
Bill
At 01:38 PM 2/17/2003, jerenkrantz@apache.org wrote
>jerenkrantz 2003/02/17 11:38:57
>
> Modified: . KEYS
> Log:
> Oh, wordsmith away. We don't bite, but let's not tell anyone that.
>
> Revision Changes Path
> 1.34 +24 -2 httpd-dist/KEYS
>
> Index: KEYS
> +Please realize that this file itself or the public key servers may be
> +compromised. You are encouraged to validate the authenticity of these keys in
> +an out-of-band manner. A good start would be face-to-face communication with
> +multiple photo identification confirmations. Each contributor has their
> +location information available at http://httpd.apache.org/contributors/.
> +
> +Since the developers are usually quite busy, you may not immediately find
> +success in someone who is willing to meet face-to-face (they may not even
> +respond to your emails because they are so busy!). If you do not have a
> +developer nearby or have trouble locating a suitable person, please send an
> +email to the release manager of the release you are attempting to verify. They
> +may be able to find someone who will be willing to verify their key in a less
> +secure manner (over the phone perhaps).