From eenge@prium.net Mon Nov 10 15:25:05 2003
From: Erik Enge <eenge@prium.net>
To: clo-devel@common-lisp.net
Subject:
 Re: [clo-devel] Re: Please upload your public GPG key to	common-lisp.net
Date: Mon, 10 Nov 2003 15:27:41 -0500
Message-ID: <871xsg2cle.fsf@prium.net>
In-Reply-To: <mailman.287.1068214746.3422.clo-devel@common-lisp.net>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============4238409822157377680=="

--===============4238409822157377680==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

Nikodemus Siivola <nikodemus(a)random-state.net> writes:

> Need To Know Basis, of course. As long as you're willing to shoulder
> the signing, no-one else needs to know. If you think you need help,
> then someone else as well.

I don't think I need help but if I get hit by the bus you're out of
luck.  I think perhaps telling a couple of you will be appropriate.

How's this for the website:

  We want users and developers who download software from this site to
  have a way of verifying that what they just downloaded is indeed what
  the author uploaded and that the author who uploaded the software
  indeed is the author they think he is.  This will help in preventing
  trojaned software to spread.

  For the user to verify a software package (usually a tarball or a zip
  file), the author will need to sign said package use his <a
  href="http://www.gnupg.org/">GPG</a> (or <a
  href="http://www.pgp.com/>PGP</a> or similar technology) private key.
  (For details on how to do this, check out the GnuPG site, for example,
  which has several howto's and other useful documents.)

  Once the package has been signed, the user can then download the
  package pluss the author's public key and verify that the public key
  at hand signed the package he or she just downloaded.

  The weak link is of course that the user doesn't know if the public
  key is the author's or not.  Here's where our signing policy comes
  into play.  When developers apply for a project at common-lisp.net
  they receive their passwords encrypted (by mail) and if they
  successfully decrypt and answer the email, their public key will be
  signed by the common-lisp.net keymaster.  Thus, the users will have a
  means of verifying that they have the correct key.

Poorly worded but does this capture our intent?

Erik.

--===============4238409822157377680==--


From mb@bese.it Mon Nov 10 15:29:14 2003
From: Marco Baringer <mb@bese.it>
To: clo-devel@common-lisp.net
Subject:
 Re: [clo-devel] Re: Please upload your public GPG key to	common-lisp.net
Date: Mon, 10 Nov 2003 21:31:38 +0100
Message-ID: <m27k28vuc5.fsf@bese.it>
In-Reply-To: <871xsg2cle.fsf@prium.net>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3226645317601422569=="

--===============3226645317601422569==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

Erik Enge <eenge(a)prium.net> writes:

>   The weak link is of course that the user doesn't know if the public
>   key is the author's or not.  Here's where our signing policy comes
>   into play.  When developers apply for a project at common-lisp.net
>   they receive their passwords encrypted (by mail) and if they
>   successfully decrypt and answer the email, their public key will be
>   signed by the common-lisp.net keymaster.  Thus, the users will have a
>   means of verifying that they have the correct key.

ok, so this "guarntees" that the key belongs to whevere has access to
that account (which is good), but how do you get people to trust
common-lisp.net's key? am i missing something simple?

-- 
-Marco
Ring the bells that still can ring.
Forget your perfect offering.
There is a crack in everything.
That's how the light gets in.
     -Leonard Cohen



--===============3226645317601422569==--


From nikodemus@random-state.net Mon Nov 10 17:33:11 2003
From: Nikodemus Siivola <nikodemus@random-state.net>
To: clo-devel@common-lisp.net
Subject:
 Re: [clo-devel] Re: Please upload your public GPG key to	common-lisp.net
Date: Tue, 11 Nov 2003 00:16:44 +0200
Message-ID: <20031110221644.GF702@random-state.net>
In-Reply-To: <871xsg2cle.fsf@prium.net>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0561526495612372863=="

--===============0561526495612372863==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

On Mon, Nov 10, 2003 at 03:27:41PM -0500, Erik Enge wrote:

> I don't think I need help but if I get hit by the bus you're out of
> luck.  I think perhaps telling a couple of you will be appropriate.

I hope you're not planning on playing chicken with heavy traffic
regularly, though... ,)

But point taken.

>   package pluss the author's public key and verify that the public key
                ^
> Poorly worded but does this capture our intent?

Modulo the stray #\s, it's perfect.

Cheers,

 -- Nikodemus

--===============0561526495612372863==
Content-Type: application/pgp-signature
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="attachment.sig"
MIME-Version: 1.0

LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcgdjEuMi4yIChHTlUv
TGludXgpCgppRDhEQlFFL3NBNU1iU3BrSUFLUGZzVVJBdkhlQUo5Zy9WM0x0aHdBeU5xUzNiTHRh
bWdMSlQzWUVnQ2RITkhUCko2a0lldDNzSlhFalUxdXAxZml6NGc0PQo9dFM3MgotLS0tLUVORCBQ
R1AgU0lHTkFUVVJFLS0tLS0K

--===============0561526495612372863==--


From anthony@ventimiglia.org Mon Nov 10 19:14:08 2003
From: Anthony Ventimiglia <anthony@ventimiglia.org>
To: clo-devel@common-lisp.net
Subject:
 Re: [clo-devel] Re: Please upload your public GPG key to	common-lisp.net
Date: Mon, 10 Nov 2003 19:14:47 -0500
Message-ID: <16304.10743.448690.677419@afghan.dogpound>
In-Reply-To: <871xsg2cle.fsf@prium.net>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3620993897641323611=="

--===============3620993897641323611==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

Erik Enge writes:
 >   Once the package has been signed, the user can then download the
 >   package pluss the author's public key and verify that the public key
 >   at hand signed the package he or she just downloaded.
 > 
 >   The weak link is of course that the user doesn't know if the public
 >   key is the author's or not.  Here's where our signing policy comes
 >   into play.  When developers apply for a project at common-lisp.net
 >   they receive their passwords encrypted (by mail) and if they
 >   successfully decrypt and answer the email, their public key will be
 >   signed by the common-lisp.net keymaster.  Thus, the users will have a
 >   means of verifying that they have the correct key.

Sounds great, how will we handle signing of those of us that are
already members ?
-- 
(incf *yankees-world-series-losses*)


--===============3620993897641323611==--


From mommer@igpm.rwth-aachen.de Tue Nov 11 02:47:12 2003
From: Mario Mommer <mommer@igpm.rwth-aachen.de>
To: clo-devel@common-lisp.net
Subject:
 Re: [clo-devel] Re: Please upload your public GPG key to	common-lisp.net
Date: Tue, 11 Nov 2003 08:46:23 +0100
Message-ID: <fzfzgvxs8g.fsf@cupid.igpm.rwth-aachen.de>
In-Reply-To: <871xsg2cle.fsf@prium.net>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============6479019836748548258=="

--===============6479019836748548258==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

Erik Enge <eenge(a)prium.net> writes:
> Nikodemus Siivola <nikodemus(a)random-state.net> writes:
> 
> > Need To Know Basis, of course. As long as you're willing to shoulder
> > the signing, no-one else needs to know. If you think you need help,
> > then someone else as well.
> 
> I don't think I need help but if I get hit by the bus you're out of
> luck.  I think perhaps telling a couple of you will be appropriate.

Some redundancy would certainly be good. In case something bad happens
we would have to hack your box to run the site, btw.

>   We want users and developers who download software from this site to
>   have a way of verifying that what they just downloaded is indeed what
>   the author uploaded and that the author who uploaded the software
>   indeed is the author they think he is.  This will help in preventing
>   trojaned software to spread.
> 
>   For the user to verify a software package (usually a tarball or a zip
>   file), the author will need to sign said package use his <a
>   href="http://www.gnupg.org/">GPG</a> (or <a
>   href="http://www.pgp.com/>PGP</a> or similar technology) private key.
>   (For details on how to do this, check out the GnuPG site, for example,
>   which has several howto's and other useful documents.)
> 
>   Once the package has been signed, the user can then download the
>   package pluss the author's public key and verify that the public key
>   at hand signed the package he or she just downloaded.
> 
>   The weak link is of course that the user doesn't know if the public
>   key is the author's or not.  Here's where our signing policy comes
>   into play.  When developers apply for a project at common-lisp.net
>   they receive their passwords encrypted (by mail) and if they
>   successfully decrypt and answer the email, their public key will be
>   signed by the common-lisp.net keymaster.  Thus, the users will have a
>   means of verifying that they have the correct key.
> 
> Poorly worded but does this capture our intent?

I think it does. It is ok.

Regards,
        Mario



--===============6479019836748548258==--