How do you know that packages left on common-lisp.net and signed with my key are really signed by me when you install them on your system?
A slightly edited discussion on #lisp:
<emarsden> it might be worth having common-lisp.net be a certificate authority, that issues X509 certificates for the software that it hosts (and other trusted sources). Pyramid of trust rather than web, easier to get into for newcomers
<kire> emarsden: sounds like a fine idea.
<dan`b> well, the question for cl.net is "by signing this key, what are we saying about its owner, or the software he uploads?"
<kire> my respons would be: we say nothing except that we believe this key belongs to the publisher of that piece of software
<dan`b> not that I'm altogether convinced by the debian approach either of signing when you have some mestspace proof that the person is who they say they are
<dan`b> because usually it's the net.persona that you're interested in
<emarsden> you're saying "this tarball has been signed by someone who's known to cl.net"
<emarsden> which avoids the "someone modified cliki.net to point to a nasty tarball" problem
<dan`b> kire: the interesting question to the end-user is "did this package come from someone with a cl.net account"
<dan`b> so how much authentication do you do before giving accounts on cl.net out?
<kire> dan`b: none, really.
<emarsden> yes, "is trusted sufficiently to have an account" is fine
<emarsden> the barrier to entry should be low, otherwise people will just work around the certificate check
<kire> emarsden: yes, it must be made very straightforward.
<dan`b> though in fairness to the cryptohippies, I would probably sign them as "partially trusted" not "fully trusted" if it's just "trusted sufficiently to have an account"
<dan`b> so, for the cl.net application procedure, you ask people to send you signed mail to apply
<dan`b> and you send the inital username/password etc details encrypted to that same key
<dan`b> then you know that the cl.net user is the owner of the gpg key, and you can sign the key in question
What do you guys think? Personally, I'm all for it.
Erik.
On Wed, Nov 05, 2003 at 01:34:44PM -0500, Erik Enge wrote:
<dan`b> kire: the interesting question to the end-user is "did this package come from someone with a cl.net account"
Right on the mark.
<dan`b> so, for the cl.net application procedure, you ask people to send you signed mail to apply
<dan`b> and you send the inital username/password etc details encrypted to that same key
<dan`b> then you know that the cl.net user is the owner of the gpg key, and you can sign the key in question
Minimal complication to procedure, fair inscrease in security. Good trade. ;)
What do you guys think? Personally, I'm all for it.
So am I.
Cheers,
-- Nikodemus
Erik Enge erik@nittin.net writes:
How do you know that packages left on common-lisp.net and signed with my key are really signed by me when you install them on your system?
[snip]
What do you guys think? Personally, I'm all for it.
Sounds good. I have to admit that my knowledge of these things is rather poor.
Regards, Mario.
-
Erik Enge -
mommer@igpm.rwth-aachen.de -
Nikodemus Siivola