.deb package signing PKI

To: debian-dpkg@lists.debian.org, ian@davenant.greenend.org.uk
Subject: .deb package signing PKI
From: bruce@linuxvc.com (Bruce Perens)
Date: Mon, 7 Aug 2000 16:43:49 -0700 (PDT)
Message-id: <[🔎] 20000807234349.3160979002F@mongo.linuxvc.com>

I was found Ian's proposal on package signing interesting reading.
I discussed it briefly with Rodney Thayer, one of the co-authors of
the IPsec standards, primary author of the OpenPGP message format, and
CEO/CTO of Known Safe, a company that Linux Capital Group is invested in.

Debian's package-signing is important to us, because Known Safe will
be operating a certification authority and we want to support Debian
systems and Debian developers. You may remember that Thawte said they
wanted to do this years ago but never got it together to do so.

In our short discussion, Rodney's main point was that nobody is using
SPKI/SDSI - it was a good idea, but it never caught on. It should be
possible for commercial CAs to support Debian's developer signatures and
its PKI hierarchy. This is an argument for you to use x.509 because
that's what they are all using. Perhaps, however, you find x.509
difficult to parse or too cumbersome to implement, or you don't like the
licensing on existing free x.509 implementations. As an alternative,
there's OpenPGP, and its implementation in GnuPG. Known Safe will be
supporting PGP in its CA, in parallel with its x.509 operation - that
means we plan to issue a PGP certificate with every x.509 certificate.

	Thanks

	Bruce

Reply to:

Follow-Ups:
- Re: .deb package signing PKI
  - From: Ian Jackson <ian@davenant.greenend.org.uk>

Prev by Date: Re: route delete
Next by Date: dpkg v2
Previous by thread: Re: route delete
Next by thread: Re: .deb package signing PKI
Index(es):
- Date
- Thread