Nikodemus Siivola <nikodemus(a)random-state.net> writes:
> Imagine: somehow the key gets stolen. Now the purveyor of the key can
> sign stuff as Common-lisp.net, including keys of maliscious package
> authors, which people will then install and run because the author's
> key was trusted by Common-lisp.net...
Ok, good point. So, who gets to know the key, then?
Erik.
Kevin Rosenberg <kevin(a)rosenberg.net> writes:
> Did I understand correctly that you'll be signing public keys that are
> used are the common-lisp.net server?
Yes.
> If so, are you planning on signing them with your personal key or an
> administrative, common-lisp.net key?
Good question. What say you others? I think it sounds like a good idea
to have an administrative common-lisp.net key.
Erik.
Erik Enge <erik(a)nittin.net> writes:
> Good question. What say you others? I think it sounds like a good
> idea to have an administrative common-lisp.net key.
Noone has disagreed with this so I'm going to assume they agree. What
would be appropriate for this key with regards to real name and email
address? "Common-Lisp.net Administrative Key" and
"admin(a)common-lisp.net" perhaps?
Erik.
How do you know that packages left on common-lisp.net and signed with my
key are really signed by me when you install them on your system?
A slightly edited discussion on #lisp:
<emarsden> it might be worth having common-lisp.net be a certificate
authority, that issues X509 certificates for the software that it
hosts (and other trusted sources). Pyramid of trust rather than web,
easier to get into for newcomers
<kire> emarsden: sounds like a fine idea.
<dan`b> well, the question for cl.net is "by signing this key, what
are we saying about its owner, or the software he uploads?"
<kire> my respons would be: we say nothing except that we believe this
key belongs to the publisher of that piece of software
<dan`b> not that I'm altogether convinced by the debian approach
either of signing when you have some mestspace proof that the person
is who they say they are
<dan`b> because usually it's the net.persona that you're interested in
<emarsden> you're saying "this tarball has been signed by someone
who's known to cl.net"
<emarsden> which avoids the "someone modified cliki.net to point to a
nasty tarball" problem
<dan`b> kire: the interesting question to the end-user is "did this
package come from someone with a cl.net account"
<dan`b> so how much authentication do you do before giving accounts on
cl.net out?
<kire> dan`b: none, really.
<emarsden> yes, "is trusted sufficiently to have an account" is fine
<emarsden> the barrier to entry should be low, otherwise people will
just work around the certificate check
<kire> emarsden: yes, it must be made very straightforward.
<dan`b> though in fairness to the cryptohippies, I would probably sign
them as "partially trusted" not "fully trusted" if it's just "trusted
sufficiently to have an account"
<dan`b> so, for the cl.net application procedure, you ask people to
send you signed mail to apply
<dan`b> and you send the inital username/password etc details
encrypted to that same key
<dan`b> then you know that the cl.net user is the owner of the gpg
key, and you can sign the key in question
What do you guys think? Personally, I'm all for it.
Erik.