On 10/29/07, Niclas Hedhman <[EMAIL PROTECTED]> wrote: > On Sunday 28 October 2007 23:15, Erik Abele wrote: > > As BenL always says: "I don't give a shit about some random document, > > that could be faked anyway. All I care about is the email address > > connected to the key I intend to sign - is it really the address of > > the person in question?". > > Ok, and if you don't know the individual in person, you put the trust in > a "Driver's license" or similar... but doesn't really care how that 'trust' > was established. > I must be plain dumb, but I don't "get" why this provides any comfort to > end-users, even if they manage to figure out what to do with the .ASCs (I bet > a very small percentage do).
most users should check the hashes (not the signatures) anyone who is not well-connected to the apache WOT gains only a little security by using a signature and only that if they understand WOT concepts pretty well. providing that release managers are well connected to the apache WOT then two small (but very important) groups of users typically fall into this category: apache members and downstream release managers. that is why apache insists on them. > And that is why I am asking for better tooling. +1 IMO this needs to be done at the protocol level > > See also http://wiki.apache.org/apachecon/PgpKeySigning > > Ok, it shows half the picture; How to sign the keys are left out... see http://people.apache.org/~henkp/ > > > as well as tooling support for verifications. > > http://httpd.apache.org/dev/verification.html > > Uhhhh, we probably have more than a million users. Do we expect them all to > get a hook into the WOT ?? IMHO, there is something wrong with that > picture... no - but we do expect the apache infrastructure team to be > Couldn't a simple; http://www.apache.org/verify where I put the ASC file (and > the MD5 of download??) and get a "Authenticated" or not response be done?? If > that is too hard to automate, I don't think we ever will see any increase in > user awareness. The process on the above page is beyond most users' > imagination. IMO this needs to be done at the protocol level to gain the required security (rather than just the appearance of security). if there's anyone around who's active on HTTP standards then now would be a great time to jump in... - robert --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
