logging-log4j-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Smith <Paul.Sm...@lawlex.com.au>
Subject RE: Web start app & Certificates - redux
Date Tue, 04 May 2004 22:05:18 GMT
> But will the ASF sign a certificate we present to them?

Do they need to?  If you Ceki had, say, your own personal certificate (based
on "ceki@apache.org" or even "ceki@qos.ch", you can get these free that are
valid within the standard certificate chain/authorities), you could sign the
jars inside a distribution with this certificate, and Web start would not
complain.  The certificate just needs to be able to be verified via the
standard trust chain.

The issue I think is whether the Apache foundation is comfortable with
hosting a distribution that has been signed 'outside' the foundation.  The
problem is I can't see a way of them letting us sign with an Apache
certificate for security reasons.  Catch-22?

> Without a certificate chain, you can actually sign with my 
> name, you can 
> even sign as "The President of the United States of America."

But you can get a valid certificate from an authority based on your email
address, and say a Drivers license from some providers, it's called a
Personal Certificate. It allows you to verify that something has been signed
by an 'email address' that has been verified and bound to and identity that
can be traced.  ie, my personal certificate is linked to my drivers license
here in Australia, so the certificate authority can always use that as a
method of tracking me down should I do something silly.

> Do you know if the ASF have a certification policy? If it 
> does, then we 
> should follow it. If it doesn't, then we are left only with 
> bad alternatives.

>From what I recall, there isn't any policy at all, maybe I am wrong.
Perhaps I should take this up with something _other_ than infrastructure? It
seems to be a foundation-wide issue.  Should I use security@apache.org and
CC our General list on?  Ceki, do you have any other recommendations as to
who we should contact for further info?  I am happy to take lead on this.


Paul Smith

To unsubscribe, e-mail: log4j-dev-unsubscribe@logging.apache.org
For additional commands, e-mail: log4j-dev-help@logging.apache.org

View raw message