erik at nittin.net
Wed Nov 5 18:34:44 UTC 2003
How do you know that packages left on common-lisp.net and signed with my
key are really signed by me when you install them on your system?
A slightly edited discussion on #lisp:
<emarsden> it might be worth having common-lisp.net be a certificate
authority, that issues X509 certificates for the software that it
hosts (and other trusted sources). Pyramid of trust rather than web,
easier to get into for newcomers
<kire> emarsden: sounds like a fine idea.
<dan`b> well, the question for cl.net is "by signing this key, what
are we saying about its owner, or the software he uploads?"
<kire> my respons would be: we say nothing except that we believe this
key belongs to the publisher of that piece of software
<dan`b> not that I'm altogether convinced by the debian approach
either of signing when you have some mestspace proof that the person
is who they say they are
<dan`b> because usually it's the net.persona that you're interested in
<emarsden> you're saying "this tarball has been signed by someone
who's known to cl.net"
<emarsden> which avoids the "someone modified cliki.net to point to a
nasty tarball" problem
<dan`b> kire: the interesting question to the end-user is "did this
package come from someone with a cl.net account"
<dan`b> so how much authentication do you do before giving accounts on
<kire> dan`b: none, really.
<emarsden> yes, "is trusted sufficiently to have an account" is fine
<emarsden> the barrier to entry should be low, otherwise people will
just work around the certificate check
<kire> emarsden: yes, it must be made very straightforward.
<dan`b> though in fairness to the cryptohippies, I would probably sign
them as "partially trusted" not "fully trusted" if it's just "trusted
sufficiently to have an account"
<dan`b> so, for the cl.net application procedure, you ask people to
send you signed mail to apply
<dan`b> and you send the inital username/password etc details
encrypted to that same key
<dan`b> then you know that the cl.net user is the owner of the gpg
key, and you can sign the key in question
What do you guys think? Personally, I'm all for it.
More information about the clo-devel