ATT: svn.kde.org has been updated
Ingo Klöcker
kloecker at kde.org
Mon Apr 11 22:34:44 BST 2005
On Monday 11 April 2005 21:53, Martijn Klingens wrote:
> On Monday 11 April 2005 02:09, Thiago Macieira wrote:
> > It would, but the key is valid only for a month. We'll need a new
> > key starting May 11th, so we'll keep having to update.
That's just because I didn't know that the default duration of validity
of a certificate is 30 days.
> > Shouldn't we create a key that is valid for a year at least?
>
> Once SVN is settled for real I suggest we take a real certificate
> signed by a trusted 3rd party. Verisign is at the expensive side, but
> there are plenty of others that are quite affordable, and it 1. gives
> a lot more professional look and 2. can also be verified by people
> who don't have Ingo's GPG key in their signed keyring.
The fingerprint can be clearsigned by anybody who has access to the
certificate and can thus verify the MD5 digest of the certificate, i.e.
by anybody who has admin rights on the svn server. So the fingerprint
could be approved by several OpenPGP keys, not just mine. Not that I
would object to getting a real certificate for a reasonable price
although I don't think it's really necessary. I mean did anybody of you
doing cvs via ssh verify that you were really talking to the right ssh
server or did you simply accept the ssh server's certificate? And
everybody else used the cvs server without having any possibility to
check the authenticity of the server.
Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20050411/0ebd919f/attachment.sig>
More information about the kde-core-devel
mailing list