You are viewing a plain text version of this content. The canonical link for it is here.
Posted to community@apache.org by Santiago Gala <sg...@hisitech.com> on 2003/12/01 17:49:05 UTC
Re: establish a trust relationship (Re: missing signatures)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
El viernes, 26 sept, 2003, a las 07:07 Europe/Madrid, Ask Bjoern Hansen
escribió:
> Likewise for telephone numbers; figuring out a time to make two
> calls across the world should be feasible.
>
For those able to receive/send SMS (text messages), they can be used to
send or receive key fingerprints, in a very effective and safe back
channel for identity validation.
I have used SMS quite a few times to send passwords after the account
setup information had been sent by email.
You can sue the telephone provider if the password is leaked, at least
in theory. :-P
> Some people include their key signature in all their mails.
>
>
I'm beginning to sign all my mails, since security is becoming a key
issue for all Open Source, and signing of communications/releases seems
to be crucial.
Regards,
Santiago
P.S.) I know it is a very late answer, I found the thread while making
a search for stuff on Apache Trust chain.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)
iD8DBQE/y3DmZAeG2a2/nhoRAsa+AKCyZzjp63NyKcoDun84ZfTGTHP37QCgtqwz
rztlV7U/oqbub75bLnSPM6I=
=1Qf0
- -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)
iD8DBQE/y3EBMGY6e0B83Y0RAmgvAJ9JUFeHnssBH3MPlgtVeizoGJLU3ACgnIVU
HakG4GuDFSS6K5ELyGT2xRo=
=pRoN
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: community-unsubscribe@apache.org
For additional commands, e-mail: community-help@apache.org
Re: establish a trust relationship (Re: missing signatures)
Posted by Santiago Gala <sg...@hisitech.com>.
El lunes, 1 dici, 2003, a las 18:10 Europe/Madrid, Lars Eilebrecht
escribió:
> According to Santiago Gala:
>
>> For those able to receive/send SMS (text messages), they can be used
>> to
>> send or receive key fingerprints, in a very effective and safe back
>> channel for identity validation.
>
> Err, I wouldn't call SMS (or GSM) a 'safe' communication media.
>
Sorry, I tend to be imprecise. 'Safe' here was meant in the sense of
identity cross reference, i.e. resilient to impersonation. (In my
example, fingerprints are public info, so no confidentiality is
actually needed)
The idea it that if a person is using a phone number that appears in
telephone directories as Santiago's to answer a challenge (send me your
key fingerprint by SMS...) in a timely manner, it reinforces trust in
this person identity as Santiago when taken in addition to email.
Not in crypto terms. I tend to be imprecise, sorry.
> [...]
>> I'm beginning to sign all my mails, since security is becoming a key
>> issue for all Open Source, and signing of communications/releases
>> seems
>> to be crucial.
>
> BTW, you may want to cross-sign your two PGP keys. The one you
> used to sign your message is not the one you gave to people at
> ApacheCon for signing.
>
They are cross signed, I forgot to upload the signed version. Thanks
for the reminder.
Regards,
Santiago
---------------------------------------------------------------------
To unsubscribe, e-mail: community-unsubscribe@apache.org
For additional commands, e-mail: community-help@apache.org
Re: establish a trust relationship (Re: missing signatures)
Posted by Lars Eilebrecht <la...@hyperreal.org>.
According to Santiago Gala:
> For those able to receive/send SMS (text messages), they can be used to
> send or receive key fingerprints, in a very effective and safe back
> channel for identity validation.
Err, I wouldn't call SMS (or GSM) a 'safe' communication media.
[...]
> I'm beginning to sign all my mails, since security is becoming a key
> issue for all Open Source, and signing of communications/releases seems
> to be crucial.
BTW, you may want to cross-sign your two PGP keys. The one you
used to sign your message is not the one you gave to people at
ApacheCon for signing.
ciao...
--
Lars Eilebrecht - Confidence is the feeling you sometimes have
lars@hyperreal.org - before you fully understand the situation.
---------------------------------------------------------------------
To unsubscribe, e-mail: community-unsubscribe@apache.org
For additional commands, e-mail: community-help@apache.org