[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#579177: ITP: xul-ext-monkeysphere -- Iceweasel/Firefox extension for using Monkeysphere on the web

Hi, Frank.  Thanks so much for the feedback.  Responses below.

On Sun, 02 May 2010 23:36:57 +0200, Frank Lin PIAT <fpiat@klabs.be> wrote:
> On Sun, 2010-04-25 at 18:44 -0400, Jameson Graef Rollins wrote:
> > * Package name    : xul-ext-monkeysphere
> >   Version         : 0.1
> The package description could mention that this is an
> early/alpha/experimental release, to avoid deception (and encourage
> feed-back)

This extension definitely is in the early stages of development, but it
is working for most cases now, and the developers are using it
routinely.  I'm also not sure how we would indicate that it's "alpha" or
"experimental" in the Package: or Version: fields of the control file,
which I think is what you're implying.  Do you have a suggestion for

> Wouldn't it be better to state that it's a replacement for X509
> certificates? (there is probably an even better wording, but I can't
> find it).

Monkeysphere is not actually a replacement for X.509, at least not in
the sense of using Monkeysphere *or* X.509.  The goal of Monkeysphere,
broadly, is to expand the usage of OpenPGP for authentication on the
net.  In the context of the web, the Monkeysphere xul extension can be
used to validate sites that have put their host keys on the OpenPGP Web
of Trust (WOT).  However, the extension actually currently relies upon
sites providing an X.509 certificate through normal TLS channels.  We
provide a fallback validation check using the WOT when the standard
X.509 validation fails.  Our goal is not to disrupt standard X.509
validation if the user wishes to continue to rely upon it, but to
instead provide an alternative to standard X.509 validation that uses
OpenPGP and the WOT.

I agree, though, that it is relevant to mention X.509 in the package
description, at least in the sense of providing an alternative, but I
feel like we're currently doing that with this bit:

> > This extensions enables Monkeysphere checking of X.509 certificates
> > from https hosts whose keys are in the web of trust.

Does this not seem clear enough?  Or is there something else that we're
missing in the description to make things clearer?

> The long description should mention that this package contains an
> Iceweasel extensions, maybe:
>  "This package contains an Iceweasel/Firefox extensions to use
>   Monkeysphere for checking of X.509 certificates from https hosts 
>   whose keys are in the web of trust."

Good point.  We'll fix that.

> My 2 cents,

Always appreciated!


Attachment: pgpA5O3vdaIG4.pgp
Description: PGP signature

Reply to: