Re: .deb package signing PKI

To: bruce@linuxvc.com (Bruce Perens)
Cc: debian-dpkg@lists.debian.org
Subject: Re: .deb package signing PKI
From: Ian Jackson <ian@davenant.greenend.org.uk>
Date: Thu, 10 Aug 2000 00:59:47 +0100 (BST)
Message-id: <[🔎] 14737.61555.856978.134939@davenant.relativity.greenend.org.uk>
In-reply-to: <[🔎] 20000807234349.3160979002F@mongo.linuxvc.com>
References: <[🔎] 20000807234349.3160979002F@mongo.linuxvc.com>

Bruce Perens writes (".deb package signing PKI"):
> I was found Ian's proposal on package signing interesting reading.
> I discussed it briefly with Rodney Thayer, one of the co-authors of
> the IPsec standards, primary author of the OpenPGP message format, and
> CEO/CTO of Known Safe, a company that Linux Capital Group is invested in.

Surely Rodney Thayer is not `primary author of the OpenPGP message
format', Phil Zimmerman is, because OpenPGP is based around the PGP2
message format.

> Debian's package-signing is important to us, because Known Safe will
> be operating a certification authority and we want to support Debian
> systems and Debian developers. You may remember that Thawte said they
> wanted to do this years ago but never got it together to do so.

I think there is muddy thinking here.  What does our package security
infrastructure have to do with `supporting Debian systems and ...
developers' ?  We want to try to avoid piggy-backing our package
security on a traditional global identity-based PKI.  (Even supposing
we think traditional global identity-based PKI's are a good thing.)

> In our short discussion, Rodney's main point was that nobody is using
> SPKI/SDSI - it was a good idea, but it never caught on. It should be
> possible for commercial CAs to support Debian's developer signatures and
> its PKI hierarchy. This is an argument for you to use x.509 because
> that's what they are all using. Perhaps, however, you find x.509
> difficult to parse or too cumbersome to implement, or you don't like the
> licensing on existing free x.509 implementations. As an alternative,
> there's OpenPGP, and its implementation in GnuPG. Known Safe will be
> supporting PGP in its CA, in parallel with its x.509 operation - that
> means we plan to issue a PGP certificate with every x.509 certificate.

Debian needs its own `closed user group' model for package signing, so
it needs its own PKI with its own roots &c.  I'm not sure how bringing
a commercial CA in at that point helps.

WRT the technical standards to be used, we've never done our core
stuff badly just because everyone else did.  X.509 is absolutely
dreadful and we should steer well clear of it wherever possible.  PGP,
while being an OK message format, doesn't have the policy expression
features we need.  We can control the software at both ends of the
transaction, so there's no need to worry overly much about standards -
in particular, you can't sensibly create a .deb without our tools
anyway, so there's no harm having to sign it with our tools too.

What we'd like is a standard with the features we want in an
implementation we can use, and SPKI/SDSI meets that, I think.

Ian.

Reply to:

References:
- .deb package signing PKI
  - From: bruce@linuxvc.com (Bruce Perens)

Prev by Date: dpkg v2
Next by Date: Re: .deb package signing PKI
Previous by thread: .deb package signing PKI
Next by thread: Re: .deb package signing PKI
Index(es):
- Date
- Thread