Re: .deb package signing PKI

To: bruce@linuxvc.com, ian@davenant.greenend.org.uk
Cc: debian-dpkg@lists.debian.org
Subject: Re: .deb package signing PKI
From: bruce@linuxvc.com (Bruce Perens)
Date: Wed, 9 Aug 2000 17:39:44 -0700 (PDT)
Message-id: <[🔎] 20000810003944.E87EE790034@mongo.linuxvc.com>

From: Ian Jackson <ian@davenant.greenend.org.uk>
> Surely Rodney Thayer is not `primary author of the OpenPGP message
> format', Phil Zimmerman is, because OpenPGP is based around the PGP2
> message format.

Sorry. I think he was the IETF chair for the standard and wrote most of the
standard text. The standard is, however, directly derived from Phil's software.
Phil is friends with various Known Safe folks and we wouldn't want to steal his
credit.

> I think there is muddy thinking here.  What does our package security
> infrastructure have to do with `supporting Debian systems and ...
> developers' ?  We want to try to avoid piggy-backing our package
> security on a traditional global identity-based PKI.  (Even supposing
> we think traditional global identity-based PKI's are a good thing.)

OK, I will explain in more detail what we want to do, and please tell me if
it's possible.

First, we want to do personal-appearance-based public key certification
of Debian developers as a charity service. We have a network of trained
professionals across North America (and eventually elsewhere) who will
scrutinize people's personal identification, then we will perform other
checks and then issue them an x.509 digital certificate and sign their PGP
public key.

We will be operating a data-center that will pass the SAS-70 audit, and
can provide Debian with access to a secure hardware signing-key store in
this data center. This can, for example, be used for code-signing, but we're
not entirely sure that it will work for anything but x.509 right away and
SPKI/SDSI might be at the bottom of our priorities because you could be the
only customer.

> WRT the technical standards to be used, we've never done our core
> stuff badly just because everyone else did.  X.509 is absolutely
> dreadful and we should steer well clear of it wherever possible.  PGP,
> while being an OK message format, doesn't have the policy expression
> features we need.  We can control the software at both ends of the
> transaction, so there's no need to worry overly much about standards -
> in particular, you can't sensibly create a .deb without our tools
> anyway, so there's no harm having to sign it with our tools too.

We don't like x.509 from an esthetic standpoint either, but we're determined
to provide good services for it since there's high demand. I can understand
the esthetic decision, but you should consider carefully whether or not it
distances Debian from the rest of the world once again for reasons that are
only important to a few people, and of insufficient importance.

	Thanks

	Bruce

Reply to:

Prev by Date: Re: .deb package signing PKI
Next by Date: Re: Bug#68919: xlib6g-dev install error
Previous by thread: Re: .deb package signing PKI
Next by thread: dpkg v2
Index(es):
- Date
- Thread