Nikodemus Siivola nikodemus@random-state.net writes:
Need To Know Basis, of course. As long as you're willing to shoulder the signing, no-one else needs to know. If you think you need help, then someone else as well.
I don't think I need help but if I get hit by the bus you're out of luck. I think perhaps telling a couple of you will be appropriate.
How's this for the website:
We want users and developers who download software from this site to have a way of verifying that what they just downloaded is indeed what the author uploaded and that the author who uploaded the software indeed is the author they think he is. This will help in preventing trojaned software to spread.
For the user to verify a software package (usually a tarball or a zip file), the author will need to sign said package use his <a href="http://www.gnupg.org/">GPG</a> (or <a href="http://www.pgp.com/%3EPGP</a> or similar technology) private key. (For details on how to do this, check out the GnuPG site, for example, which has several howto's and other useful documents.)
Once the package has been signed, the user can then download the package pluss the author's public key and verify that the public key at hand signed the package he or she just downloaded.
The weak link is of course that the user doesn't know if the public key is the author's or not. Here's where our signing policy comes into play. When developers apply for a project at common-lisp.net they receive their passwords encrypted (by mail) and if they successfully decrypt and answer the email, their public key will be signed by the common-lisp.net keymaster. Thus, the users will have a means of verifying that they have the correct key.
Poorly worded but does this capture our intent?
Erik.
Erik Enge eenge@prium.net writes:
The weak link is of course that the user doesn't know if the public key is the author's or not. Here's where our signing policy comes into play. When developers apply for a project at common-lisp.net they receive their passwords encrypted (by mail) and if they successfully decrypt and answer the email, their public key will be signed by the common-lisp.net keymaster. Thus, the users will have a means of verifying that they have the correct key.
ok, so this "guarntees" that the key belongs to whevere has access to that account (which is good), but how do you get people to trust common-lisp.net's key? am i missing something simple?
On Mon, Nov 10, 2003 at 03:27:41PM -0500, Erik Enge wrote:
I don't think I need help but if I get hit by the bus you're out of luck. I think perhaps telling a couple of you will be appropriate.
I hope you're not planning on playing chicken with heavy traffic regularly, though... ,)
But point taken.
package pluss the author's public key and verify that the public key
^
Poorly worded but does this capture our intent?
Modulo the stray #\s, it's perfect.
Cheers,
-- Nikodemus
Erik Enge writes:
Once the package has been signed, the user can then download the package pluss the author's public key and verify that the public key at hand signed the package he or she just downloaded.
The weak link is of course that the user doesn't know if the public key is the author's or not. Here's where our signing policy comes into play. When developers apply for a project at common-lisp.net they receive their passwords encrypted (by mail) and if they successfully decrypt and answer the email, their public key will be signed by the common-lisp.net keymaster. Thus, the users will have a means of verifying that they have the correct key.
Sounds great, how will we handle signing of those of us that are already members ?
Erik Enge eenge@prium.net writes:
Nikodemus Siivola nikodemus@random-state.net writes:
Need To Know Basis, of course. As long as you're willing to shoulder the signing, no-one else needs to know. If you think you need help, then someone else as well.
I don't think I need help but if I get hit by the bus you're out of luck. I think perhaps telling a couple of you will be appropriate.
Some redundancy would certainly be good. In case something bad happens we would have to hack your box to run the site, btw.
We want users and developers who download software from this site to have a way of verifying that what they just downloaded is indeed what the author uploaded and that the author who uploaded the software indeed is the author they think he is. This will help in preventing trojaned software to spread.
For the user to verify a software package (usually a tarball or a zip file), the author will need to sign said package use his <a href="http://www.gnupg.org/">GPG</a> (or <a href="http://www.pgp.com/%3EPGP</a> or similar technology) private key. (For details on how to do this, check out the GnuPG site, for example, which has several howto's and other useful documents.)
Once the package has been signed, the user can then download the package pluss the author's public key and verify that the public key at hand signed the package he or she just downloaded.
The weak link is of course that the user doesn't know if the public key is the author's or not. Here's where our signing policy comes into play. When developers apply for a project at common-lisp.net they receive their passwords encrypted (by mail) and if they successfully decrypt and answer the email, their public key will be signed by the common-lisp.net keymaster. Thus, the users will have a means of verifying that they have the correct key.
Poorly worded but does this capture our intent?
I think it does. It is ok.
Regards, Mario