You are viewing a plain text version of this content. The canonical link for it is here.
Posted to infrastructure-dev@apache.org by Tony Stevenson <to...@pc-tony.com> on 2011/09/02 22:14:11 UTC
Re: Signing jars
Folks, can we please take this over to infra-dev ?
On 2 Sep 2011, at 21:12, Benson Margulies wrote:
> Your last message looks like you are leaning towards using the
> Verisign rather than just having a certificate and applying.
>
> On Fri, Sep 2, 2011 at 3:55 PM, Daniel Shahaf <d....@daniel.shahaf.name> wrote:
>> William A. Rowe Jr. wrote on Fri, Sep 02, 2011 at 14:46:50 -0500:
>>> On 9/2/2011 12:20 PM, Daniel Shahaf wrote:
>>>>
>>>> If the proposal is to have just one ASF-wide cert, who would have access
>>>> to sign with it?
>>>>
>>>> ("root@ only" doesn't scale, "all committers" is too much, some middle ground?)
>>>
>>> Please, scroll back, this was discussed. Nobody but root (a subset
>>> actually) would have access to the actual signing key, in the pursuit
>>> of managing the signing service.
>>>
>>
>> Read what I said. I didn't ask who would have access to the key,
>> I asked who would be able to sign.
>>
>>> At least all PMC members could pass through a signing request, as any
>>> could be a component RM. Every article of signed code is recorded
>>> in svn, notices sent, etc. It would be difficult/near impossible to
>>> abuse this without drawing attention.
>>>
>>
>> My question wasn't about "drawing attention" but about handling the
>> rogue signature that would then be circulating. Your next paragraph
>> mentions revoking select signatures, which addresses this. Thanks.
>>
>>> The signing service itself offered by VeriSign (for some significant
>>> amount of $$$'s) would permit an ACL of specific authorized users and
>>> would associate signed artifacts to the signer with the ability to
>>> recall the signature. It seems each signed object ultimately wins its
>>> own unique signing key/cert, although it appears as signed by the org.
>>>
>>
>
Tony
---------------------------------------
Tony Stevenson
tony@pc-tony.com // pctony@apache.org
tony@caret.cam.ac.uk
http://blog.pc-tony.com
GPG - 1024D/51047D66
--------------------------------------