Re: Bug#579177: ITP: xul-ext-monkeysphere -- Iceweasel/Firefox extension for using Monkeysphere on the web
On Mon, 2010-05-03 at 12:13 -0400, Jameson Rollins wrote:
> Hi, Frank. Thanks so much for the feedback. Responses below.
>
> On Sun, 02 May 2010 23:36:57 +0200, Frank Lin PIAT <fpiat@klabs.be> wrote:
> > On Sun, 2010-04-25 at 18:44 -0400, Jameson Graef Rollins wrote:
> > > * Package name : xul-ext-monkeysphere
> > > Version : 0.1
> >
> > The package description could mention that this is an
> > early/alpha/experimental release, to avoid deception (and encourage
> > feed-back)
>
> This extension definitely is in the early stages of development, but it
> is working for most cases now, and the developers are using it
> routinely. I'm also not sure how we would indicate that it's "alpha" or
> "experimental" in the Package: or Version: fields of the control file,
> which I think is what you're implying. Do you have a suggestion for
> that?
I have gathered some existing "excuses", but none seems to fit your
need.
http://wiki.debian.org/PackagesDescriptions/Fragments
Based on what you told, upstream might want to number it 0.9 ;)
Still, let me give a try:
"Although the program is still in development stage, It already
have some useful features, and it is quite stable"
Feel free to adjust or rewrite it.
> > Wouldn't it be better to state that it's a replacement for X509
> > certificates? (there is probably an even better wording, but I can't
> > find it).
>
> Monkeysphere is not actually a replacement for X.509, at least not in
> the sense of using Monkeysphere *or* X.509. The goal of Monkeysphere,
> broadly, is to expand the usage of OpenPGP for authentication on the
> net. In the context of the web, the Monkeysphere xul extension can be
> used to validate sites that have put their host keys on the OpenPGP Web
> of Trust (WOT). However, the extension actually currently relies upon
> sites providing an X.509 certificate through normal TLS channels. We
> provide a fallback validation check using the WOT when the standard
> X.509 validation fails. Our goal is not to disrupt standard X.509
> validation if the user wishes to continue to rely upon it, but to
> instead provide an alternative to standard X.509 validation that uses
> OpenPGP and the WOT.
ok we "just" have to figure out how to write that in 4 or 5 lines ;)
"Monkeysphere uses OpenPGP's « Web of Trust » to validate X509
certificates that aren't signed by a known certificate authorities
(CA)."
We could also something like this:
"In regular public key infrastructure (PKI), X509 certificates
are signed by a third party organisations, that are considered to
be trusted by both the webserver-admin and the web-browser vendor."
> I agree, though, that it is relevant to mention X.509 in the package
> description, at least in the sense of providing an alternative, but I
> feel like we're currently doing that with this bit:
>
> > > This extensions enables Monkeysphere checking of X.509 certificates
> > > from https hosts whose keys are in the web of trust.
>
> Does this not seem clear enough? Or is there something else that we're
> missing in the description to make things clearer?
>
> > The long description should mention that this package contains an
> > Iceweasel extensions, maybe:
> > "This package contains an Iceweasel/Firefox extensions to use
> > Monkeysphere for checking of X.509 certificates from https hosts
> > whose keys are in the web of trust."
>
> Good point. We'll fix that.
Again, just my 2 cents ;)
Franklin
Reply to: