On Apr 7, 2014, at 14:38 , Joerg Sonnenberger <joerg%britannica.bec.de@localhost> wrote: > On Mon, Apr 07, 2014 at 01:36:10PM +0200, Jan Danielsson wrote: >> I used to (very) strongly prefer PGP over X.509, nowadays I see them >> as being equally useful, but in different situations. In the case of >> signing packages, X.509 PKI is well-suited because TNF is a perfect type >> of entity to be a CA. That being said, the X.509 tools out there are >> user-hostile, counter-intuitive, ugly, annoying, and down-right bad[*]. >> So while conceptually I'm all for TNF becoming a CA, the lack of >> non-user-hostile tools makes me feel that the PGP route is better in the >> end. ..as long as we have netpgp(verify). > > While I mostly agree about the hostility of tools like openssl(1), I > don't think it applies overly much in this context. The use model I had > in mind when creating the x509 support was: > > (1) The person responsible for the a bulk build creates a CA > certificate. > > (2) An intermediate key with a short valid time (3 month?) is used to > sign the packages. Why that short time? Perhaps I want/need to install packages from the previous pkgsrc release, and then the signatures aren't valid anymore... Wouldn't it be safer to have at least 6 month validity, as the quarterly builds tends to stay online longer than 3 months sharp. (And once those are gone, it doesn't matter if the signature is valid a few more day… the other way around will cause more confusion/irritation if packages are online, but won't install because non-valid signatures…) btw. what happens if I try to install a package with a non-valid signature? Will I be refused? Will I be prompted that the signature has expire or is invalid, but I could override & continue anyway? > (3) The CA certficate is published in the same location as the packages. > Either a signature from a TNF "master" certificate or a PGP/GPG signature is > used to anchor the trust. > > For the user this means doing the trust verification once -- either for > the TNF "master" CA or the bulk builder certificate. This can happen > using the normal PGP/GPG tools, netpgpverify or whatever. Afterwards, > she doesn't have to care about the mechanism used. Sounds good. > For the bulk builder this means (a) setting up the personal CA (b) > creating the signing key on a regular base. You can find a script for > doing that with two calls. Look at pkgsrc/pkg_install/files/x509. Might > need some more polishing, but I don't think there is much complexity > involved.
Description: Message signed with OpenPGP using GPGMail