Subject: Re: adding gpg to src/gnu/dist
To: None <tech-security@NetBSD.org>
From: Love <lha@stacken.kth.se>
List: tech-security
Date: 05/18/2004 19:06:37
--=-=-=
Marc Tooley <netbsdMLpostNO@SPAM.quake.ca> writes:
>> 3. pgp provides identity, not what the key is supposed to do. sure,
>> the sigature is supposed be just that, but pushing out policy from
>> the CA with certifiates are quite useful.
>>
>> "all certs with code-signing oid is approved by netbsd
>> core/foundation/developers/whatever to be signer of binary pkgs,
>> you already trust netbsd ... by using our software"
>>
>> The question is, how do you intent to distribute policy ?
>
> If a security bulletin is signed by a key marked "System Distribution"
> then it clearly says, "This is signed by known key 0x12134, System
> Distribution Manager" I think users would notice.
My pkgsrc tree have N packages, should humans verify all text strings for
each of them.
It might not be a human at the end of the pkg_add program, its might be
another program (update-pkg.sh via cron). Thus the policy needs to machine
parseable.
>> 4. How is certifiates time limited, "Al is releng for a year now"
>
> GPG keys have a lifetime on them, you can expire them in X days no
> problem.
But not sigatures of keys ? That is just fine for pgp, since pgp is signing
identities, not roles.
>> 5. Code quality should not be used as argument when comparing gpg and
>> openssl, neither of them is pretty inside.
>
> The implication was, earlier in the thread, that GPG has a "messier"
> user interface when I don't think that is true.
Yes, they are about equally bad.
> I've already said I have no code. In fact, I very specifically stated,
> "Just my opinion. No code flows from me so of course opinion it'll
> stay, but there it is." Nice term, that.. hand waving I mean. Thanks.
Thank you yourself, I got to know more about pgp that I missed when i read
the PGP RFC.
Love
--=-=-=
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (NetBSD)
iQEVAwUAQKpCnnW+NPVfDpmCAQLg+Qf/bUk0CNzI2lZhE6wXOb85wtHm/nXJKw1U
R5f1P/HU5S4PG/iY1CVxxhLIpcy7AdL9rzQSvTF8ARFlR8fmQzbUaX8w4t7WS/op
TiVqDFnidJeIngNDAQbmCCpmbLL71NyduV6qiKRG5merDiKcMAym8gBMsj1vKPMN
+JAuVoB4UEQpqmwygPXxw+GX+PviSNPv4bnoOFy+3VK6OWBRvGy81G/MfG7Vxafu
r2WkxyKeZX8QLnAb0eddX26HXjWg5pF3T1b9D5LVsz9GUhI1WPXRhxMXadFi0Tqf
gCqfXE/YCyEgAuY5w8fT/uofWp1Ozv2gA9GK511J059uh18eI0mSIw==
=MUg/
-----END PGP SIGNATURE-----
--=-=-=--