On 29/10/2007, Erik Abele <[EMAIL PROTECTED]> wrote: > On 29.10.2007, at 03:13, Niclas Hedhman wrote: > > > On Sunday 28 October 2007 23:15, Erik Abele wrote: > >> As BenL always says: "I don't give a shit about some random document, > >> that could be faked anyway. All I care about is the email address > >> connected to the key I intend to sign - is it really the address of > >> the person in question?". > > > > Ok, and if you don't know the individual in person, you put the > > trust in > > a "Driver's license" or similar... but doesn't really care how that > > 'trust' > > was established. > > There's a ton of interpretations and levels of trust out there; I > suggest you consult Google for that. > > > I must be plain dumb, but I don't "get" why this provides any > > comfort to > > end-users, even if they manage to figure out what to do with > > the .ASCs (I bet > > a very small percentage do). > > Well, if you verify an ASF release it can show you two things: > > a) if the signature is good you know that the file has not been > tampered with; > it's the same as when the release was originally cut by the RM > b) if you can establish a trust path to the signer of the file then > you can be > pretty sure that it's a legit release and not a faked one
Even if you can't establish a trust path, the PGP signature gives a bit more assurance than a hash. The KEY file should be in SVN, so you can ensure that the person that added the key to the KEY file was at least a committer to SVN. > Again, please see http://httpd.apache.org/dev/verification.html - > especially the sections on "Checking Signatures" [a) above] and > "Validating Authenticity of a Key" [b) above]. > > Re small percentage: I doubt that most users even care; the majority > probably won't even think about it :( > > > And that is why I am asking for better tooling. > > Ok, feel free to improve that :-) > > >> See also http://wiki.apache.org/apachecon/PgpKeySigning > > > > Ok, it shows half the picture; How to sign the keys are left out... > > See one of the billions of tutorials in Google, or simply "man > gpg" (--sign-key or --edit-key). > > >>> as well as tooling support for verifications. > >> http://httpd.apache.org/dev/verification.html > > > > Uhhhh, we probably have more than a million users. Do we expect > > them all to > > get a hook into the WOT ?? IMHO, there is something wrong with that > > picture... > > The million users don't even care about all that - the ones who do > will find a way to connect the dots or even get into the WOT (see > examples provided by Robert). > > E.g. if I see that a release is signed by the key XYZ of S. Striker > and I go and fetch that key from a public keyserver and take a look > at the list of signatures, I'll find out that there a names like Roy > T. Fielding, Jim Jagielski, and so on... now, when I compare the > fingerprints and maybe also have a look at http://www.apache.org/dist/ > httpd/KEYS then I can be pretty sure that the release was made by an > official member of the HTTPD PMC - that should be enough for Random > Joe to feel comfortable... > > > Couldn't a simple; http://www.apache.org/verify where I put the ASC > > file (and > > the MD5 of download??) and get a "Authenticated" or not response be > > done?? If > > that is too hard to automate, I don't think we ever will see any > > increase in > > user awareness. > > http://people.apache.org/~henkp/cgi-bin/md5.cgi will verify the MD5 > for you - it doesn't really make sense to have the same for PGP > signatures IMHO. > > > The process on the above page is beyond most users' > > imagination. > > As said, they probably don't even care otherwise they would know... > > Cheers, > Erik > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
