Re: Developer repositories for Debian
Russ Allbery <rra@debian.org> writes:
> Raphael Hertzog <hertzog@debian.org> writes:
>> On Mon, 06 May 2013, Joerg Jaspert wrote:
>
>>> Nah, the webinterface just should end up like the DAM webinterface: You
>>> do whatever you need, then click a button - and voila, there is
>>> everything ready to copy/paste into a MUA. Send with sig, done.
>
>> Why? This is just a band-aid and not what I would call a web interface.
>> And except lazyness I don't see a good reason for that. Web interfaces
>> can be secure (and with an audit trail in case of breach). After all we
>> can manage our Debian passwords over a web interface...
>
> That level of security isn't great, though. GPG keys are much more secure
> than that password. What we would want for equivalent security in a web
> interface is personal X.509 certificates.
>
WebID [0] could be useful in this respect. It includes the use of SSL
certs for authentication, in addition to other benefits (see some
discussion in the thread at [1]).
> I think it would be interesting to have that infrastructure in place, but
> someone would need to build it (probably with some mechanism to bootstrap
> GPG keys into X.509 certificates -- and be careful of expiration times and
> figure out a good way to deal with revocation).
>
I'm not so sure how GPG integrates in the WebID landscape, but it seems
to me that WebID, based on Linked Data principles has some similarity
with Web of Trust concepts well known in the GPG system.
Just my 2 cents,
[0] http://webid.info/
[1] http://lists.debian.org/debian-project/2013/02/msg00048.html
--
Olivier BERGER
http://www-public.telecom-sudparis.eu/~berger_o/ - OpenPGP-Id: 2048R/5819D7E8
Ingenieur Recherche - Dept INF
Institut Mines-Telecom, Telecom SudParis, Evry (France)
Reply to: