[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#579177: ITP: xul-ext-monkeysphere -- Iceweasel/Firefox extension for using Monkeysphere on the web

On Mon, 2010-05-03 at 12:13 -0400, Jameson Rollins wrote:
> Hi, Frank.  Thanks so much for the feedback.  Responses below.
> On Sun, 02 May 2010 23:36:57 +0200, Frank Lin PIAT <fpiat@klabs.be> wrote:
> > On Sun, 2010-04-25 at 18:44 -0400, Jameson Graef Rollins wrote:
> > > * Package name    : xul-ext-monkeysphere
> > >   Version         : 0.1
> > 
> > The package description could mention that this is an
> > early/alpha/experimental release, to avoid deception (and encourage
> > feed-back)
> This extension definitely is in the early stages of development, but it
> is working for most cases now, and the developers are using it
> routinely.  I'm also not sure how we would indicate that it's "alpha" or
> "experimental" in the Package: or Version: fields of the control file,
> which I think is what you're implying.  Do you have a suggestion for
> that?

I have gathered some existing "excuses", but none seems to fit your
Based on what you told, upstream might want to number it 0.9 ;)
Still, let me give a try:
 "Although the program is still in development stage, It already
  have some useful features, and it is quite stable"

Feel free to adjust or rewrite it.

> > Wouldn't it be better to state that it's a replacement for X509
> > certificates? (there is probably an even better wording, but I can't
> > find it).
> Monkeysphere is not actually a replacement for X.509, at least not in
> the sense of using Monkeysphere *or* X.509.  The goal of Monkeysphere,
> broadly, is to expand the usage of OpenPGP for authentication on the
> net.  In the context of the web, the Monkeysphere xul extension can be
> used to validate sites that have put their host keys on the OpenPGP Web
> of Trust (WOT).  However, the extension actually currently relies upon
> sites providing an X.509 certificate through normal TLS channels.  We
> provide a fallback validation check using the WOT when the standard
> X.509 validation fails.  Our goal is not to disrupt standard X.509
> validation if the user wishes to continue to rely upon it, but to
> instead provide an alternative to standard X.509 validation that uses
> OpenPGP and the WOT.

ok we "just" have to figure out how to write that in 4 or 5 lines ;)

"Monkeysphere uses OpenPGP's « Web of Trust » to validate X509
 certificates that aren't signed by a known certificate authorities

We could also something like this:

"In regular public key infrastructure (PKI), X509 certificates
 are signed by a third party organisations, that are considered to 
 be trusted by both the webserver-admin and the web-browser vendor."

> I agree, though, that it is relevant to mention X.509 in the package
> description, at least in the sense of providing an alternative, but I
> feel like we're currently doing that with this bit:
> > > This extensions enables Monkeysphere checking of X.509 certificates
> > > from https hosts whose keys are in the web of trust.
> Does this not seem clear enough?  Or is there something else that we're
> missing in the description to make things clearer?
> > The long description should mention that this package contains an
> > Iceweasel extensions, maybe:
> >  "This package contains an Iceweasel/Firefox extensions to use
> >   Monkeysphere for checking of X.509 certificates from https hosts 
> >   whose keys are in the web of trust."
> Good point.  We'll fix that.

Again, just my 2 cents ;)


Reply to: