Re: officially signed packages

[Joerg Sonnenberger <joerg%britannica.bec.de@localhost>]

On Mon, Apr 07, 2014 at 01:36:10PM +0200, Jan Danielsson wrote:
>    I used to (very) strongly prefer PGP over X.509, nowadays I see them
> as being equally useful, but in different situations.  In the case of
> signing packages, X.509 PKI is well-suited because TNF is a perfect type
> of entity to be a CA.  That being said, the X.509 tools out there are
> user-hostile, counter-intuitive, ugly, annoying, and down-right bad[*].
>  So while conceptually I'm all for TNF becoming a CA, the lack of
> non-user-hostile tools makes me feel that the PGP route is better in the
> end.  ..as long as we have netpgp(verify).

While I mostly agree about the hostility of tools like openssl(1), I
don't think it applies overly much in this context. The use model I had
in mind when creating the x509 support was:

(1) The person responsible for the a bulk build creates a CA
certificate.

(2) An intermediate key with a short valid time (3 month?) is used to
sign the packages.

(3) The CA certficate is published in the same location as the packages.
Either a signature from a TNF "master" certificate or a PGP/GPG signature is
used to anchor the trust.

For the user this means doing the trust verification once -- either for
the TNF "master" CA or the bulk builder certificate. This can happen
using the normal PGP/GPG tools, netpgpverify or whatever. Afterwards,
she doesn't have to care about the mechanism used.

For the bulk builder this means (a) setting up the personal CA (b)
creating the signing key on a regular base. You can find a script for
doing that with two calls. Look at pkgsrc/pkg_install/files/x509. Might
need some more polishing, but I don't think there is much complexity
involved.

Joerg