[clo-devel] "authentication"

Erik Enge erik at nittin.net
Wed Nov 5 18:34:44 UTC 2003 

How do you know that packages left on common-lisp.net and signed with my
key are really signed by me when you install them on your system?

A slightly edited discussion on #lisp:

  <emarsden> it might be worth having common-lisp.net be a certificate
  authority, that issues X509 certificates for the software that it
  hosts (and other trusted sources). Pyramid of trust rather than web,
  easier to get into for newcomers

  <kire> emarsden: sounds like a fine idea.

  <dan`b> well, the question for cl.net is "by signing this key, what
  are we saying about its owner, or the software he uploads?"

  <kire> my respons would be: we say nothing except that we believe this
  key belongs to the publisher of that piece of software

  <dan`b> not that I'm altogether convinced by the debian approach
  either of signing when you have some mestspace proof that the person
  is who they say they are

  <dan`b> because usually it's the net.persona that you're interested in

  <emarsden> you're saying "this tarball has been signed by someone
  who's known to cl.net"

  <emarsden> which avoids the "someone modified cliki.net to point to a
  nasty tarball" problem

  <dan`b> kire: the interesting question to the end-user is "did this
  package come from someone with a cl.net account"

  <dan`b> so how much authentication do you do before giving accounts on
  cl.net out?

  <kire> dan`b: none, really.

  <emarsden> yes, "is trusted sufficiently to have an account" is fine

  <emarsden> the barrier to entry should be low, otherwise people will
  just work around the certificate check

  <kire> emarsden: yes, it must be made very straightforward.
 
  <dan`b> though in fairness to the cryptohippies, I would probably sign
  them as "partially trusted" not "fully trusted" if it's just "trusted
  sufficiently to have an account"

  <dan`b> so, for the cl.net application procedure, you ask people to
  send you signed mail to apply

  <dan`b> and you send the inital username/password etc details
  encrypted to that same key

  <dan`b> then you know that the cl.net user is the owner of the gpg
  key, and you can sign the key in question

What do you guys think?  Personally, I'm all for it.

Erik.

More information about the clo-devel mailing list