"authentication"

How do you know that packages left on common-lisp.net and signed with my
key are really signed by me when you install them on your system?

A slightly edited discussion on #lisp:

  <emarsden> it might be worth having common-lisp.net be a certificate
  authority, that issues X509 certificates for the software that it
  hosts (and other trusted sources). Pyramid of trust rather than web,
  easier to get into for newcomers

  <kire> emarsden: sounds like a fine idea.

  <dan`b> well, the question for cl.net is "by signing this key, what
  are we saying about its owner, or the software he uploads?"

  <kire> my respons would be: we say nothing except that we believe this
  key belongs to the publisher of that piece of software

  <dan`b> not that I'm altogether convinced by the debian approach
  either of signing when you have some mestspace proof that the person
  is who they say they are

  <dan`b> because usually it's the net.persona that you're interested in

  <emarsden> you're saying "this tarball has been signed by someone
  who's known to cl.net"

  <emarsden> which avoids the "someone modified cliki.net to point to a
  nasty tarball" problem

Re: Please upload your public GPG key to common-lisp.net

Kevin Rosenberg <kevin <at> rosenberg.net> writes:

> Did I understand correctly that you'll be signing public keys that are
> used are the common-lisp.net server?

Yes.

> If so, are you planning on signing them with your personal key or an
> administrative, common-lisp.net key?

Good question.  What say you others?  I think it sounds like a good idea
to have an administrative common-lisp.net key.

Erik.

Re: "authentication"

On Wed, Nov 05, 2003 at 01:34:44PM -0500, Erik Enge wrote:

>   <dan`b> kire: the interesting question to the end-user is "did this
>   package come from someone with a cl.net account"

Right on the mark.

>   <dan`b> so, for the cl.net application procedure, you ask people to
>   send you signed mail to apply
> 
>   <dan`b> and you send the inital username/password etc details
>   encrypted to that same key
> 
>   <dan`b> then you know that the cl.net user is the owner of the gpg
>   key, and you can sign the key in question

Minimal complication to procedure, fair inscrease in security. Good
trade. ;)

> What do you guys think?  Personally, I'm all for it.

So am I.

Cheers,

 -- Nikodemus

_______________________________________________
clo-devel mailing list

Re: 'authentication'

Erik Enge <erik <at> nittin.net> writes:
>
> How do you know that packages left on common-lisp.net and signed with my
> key are really signed by me when you install them on your system?
[snip]
> What do you guys think?  Personally, I'm all for it.

Sounds good. I have to admit that my knowledge of these things is rather
poor.

Regards,
        Mario.

Re: Re: Please upload your public GPG key to common-lisp.net

Erik Enge <erik <at> nittin.net> writes:

> Good question.  What say you others?  I think it sounds like a good
> idea to have an administrative common-lisp.net key.

Noone has disagreed with this so I'm going to assume they agree.  What
would be appropriate for this key with regards to real name and email
address?  "Common-Lisp.net Administrative Key" and
"admin <at> common-lisp.net" perhaps?

Erik.

Re: Re: Please upload your public GPG key to common-lisp.net

Erik Enge wrote:
> Noone has disagreed with this so I'm going to assume they agree.  What
> would be appropriate for this key with regards to real name and email
> address?  "Common-Lisp.net Administrative Key" and
> "admin <at> common-lisp.net" perhaps?

I'd recommmend keymaster <at> cl.net and have a web page which describes
the criteria for a key to be signed by the keymaster key. (I'd reserve
you signing keys with your personal key for those owners with whom you
meet in person and look at their photo id.

Alternately, you can do like Debian and create a keyring file which
contains the public key which cl.net trusts and publish that file so
that downloaders of cl.net files can verify the signature of that file
against the keys that are in the trusted keyring file. Then, there is
no need for cl.net to sign any keys.

--

-- 
Kevin Rosenberg
kevin <at> rosenberg.net

_______________________________________________
clo-devel mailing list
clo-devel <at> common-lisp.net
http://common-lisp.net/mailman/listinfo/clo-devel

Re: Re: Please upload your public GPG key to common-lisp.net

On Thu, Nov 06, 2003 at 08:09:46AM -0500, Erik Enge wrote:

> Noone has disagreed with this so I'm going to assume they agree.  What
> would be appropriate for this key with regards to real name and email
> address?  "Common-Lisp.net Administrative Key" and
> "admin <at> common-lisp.net" perhaps?

Maybe just "Common-lisp.net" as name? admin sound good for email.

Cheers,

 -- Nikodemus

_______________________________________________
clo-devel mailing list
clo-devel <at> common-lisp.net
http://common-lisp.net/mailman/listinfo/clo-devel

Re: Re: Please upload your public GPG key to common-lisp.net

On Thu, Nov 06, 2003 at 08:49:05AM -0700, Kevin Rosenberg wrote:

> I'd recommmend keymaster <at> cl.net and have a web page which describes
> the criteria for a key to be signed by the keymaster key. (I'd reserve
> you signing keys with your personal key for those owners with whom you
> meet in person and look at their photo id.

Ok. This makes more sense then admin as recipient. ;)

> Alternately, you can do like Debian and create a keyring file which
> contains the public key which cl.net trusts and publish that file so
> that downloaders of cl.net files can verify the signature of that file
> against the keys that are in the trusted keyring file. Then, there is
> no need for cl.net to sign any keys.

I think the signing can be better for now at least: it creates more
crypto-awareness in the community, and helps in kickstarting a web of
trust. Or so I hope.

Cheers,

 -- Nikodemus

_______________________________________________
clo-devel mailing list
clo-devel <at> common-lisp.net
http://common-lisp.net/mailman/listinfo/clo-devel

Re: Re: Please upload your public GPG key to common-lisp.net

Nikodemus Siivola wrote:
> I think the signing can be better for now at least: it creates more
> crypto-awareness in the community, and helps in kickstarting a web of
> trust. Or so I hope.

While I agree that key signing gives people more direct practice of
using GPG, I believe that a web of trust is more valuable when
stricter identity verification is required for key signing.

--

-- 
Kevin Rosenberg
kevin <at> rosenberg.net

_______________________________________________
clo-devel mailing list
clo-devel <at> common-lisp.net
http://common-lisp.net/mailman/listinfo/clo-devel

[lists] Re: Please upload your public GPG key to common-lisp.net

Erik Enge writes:
 > Kevin Rosenberg <kevin <at> rosenberg.net> writes:
 > 
 > > Did I understand correctly that you'll be signing public keys that are
 > > used are the common-lisp.net server?
 > 
 > Yes.
 > 
 > > If so, are you planning on signing them with your personal key or an
 > > administrative, common-lisp.net key?
 > 
 > Good question.  What say you others?  I think it sounds like a good idea
 > to have an administrative common-lisp.net key.

That sounds like the best bet, using your personal key may lead to
some confusion. Maybe make a special address like
keyring <at> common-lisp.net to sign keys with. 

I don't know if you've considered an easy way for the general public
to get our keys (is that necessary ?). Should we set up some interface
so our keys can be accessed through an HTTP interface ?

--

-- 
(incf *yankees-world-series-losses*)