On 29.10.2007, at 03:13, Niclas Hedhman wrote:
On Sunday 28 October 2007 23:15, Erik Abele wrote:
As BenL always says: "I don't give a shit about some random document,
that could be faked anyway. All I care about is the email address
connected to the key I intend to sign - is it really the address of
the person in question?".
Ok, and if you don't know the individual in person, you put the
trust in
a "Driver's license" or similar... but doesn't really care how that
'trust'
was established.
There's a ton of interpretations and levels of trust out there; I
suggest you consult Google for that.
I must be plain dumb, but I don't "get" why this provides any
comfort to
end-users, even if they manage to figure out what to do with
the .ASCs (I bet
a very small percentage do).
Well, if you verify an ASF release it can show you two things:
a) if the signature is good you know that the file has not been
tampered with;
it's the same as when the release was originally cut by the RM
b) if you can establish a trust path to the signer of the file then
you can be
pretty sure that it's a legit release and not a faked one
Again, please see http://httpd.apache.org/dev/verification.html -
especially the sections on "Checking Signatures" [a) above] and
"Validating Authenticity of a Key" [b) above].
Re small percentage: I doubt that most users even care; the majority
probably won't even think about it :(
And that is why I am asking for better tooling.
Ok, feel free to improve that :-)
See also http://wiki.apache.org/apachecon/PgpKeySigning
Ok, it shows half the picture; How to sign the keys are left out...
See one of the billions of tutorials in Google, or simply "man
gpg" (--sign-key or --edit-key).
as well as tooling support for verifications.
http://httpd.apache.org/dev/verification.html
Uhhhh, we probably have more than a million users. Do we expect
them all to
get a hook into the WOT ?? IMHO, there is something wrong with that
picture...
The million users don't even care about all that - the ones who do
will find a way to connect the dots or even get into the WOT (see
examples provided by Robert).
E.g. if I see that a release is signed by the key XYZ of S. Striker
and I go and fetch that key from a public keyserver and take a look
at the list of signatures, I'll find out that there a names like Roy
T. Fielding, Jim Jagielski, and so on... now, when I compare the
fingerprints and maybe also have a look at http://www.apache.org/dist/
httpd/KEYS then I can be pretty sure that the release was made by an
official member of the HTTPD PMC - that should be enough for Random
Joe to feel comfortable...
Couldn't a simple; http://www.apache.org/verify where I put the ASC
file (and
the MD5 of download??) and get a "Authenticated" or not response be
done?? If
that is too hard to automate, I don't think we ever will see any
increase in
user awareness.
http://people.apache.org/~henkp/cgi-bin/md5.cgi will verify the MD5
for you - it doesn't really make sense to have the same for PGP
signatures IMHO.
The process on the above page is beyond most users'
imagination.
As said, they probably don't even care otherwise they would know...
Cheers,
Erik
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
