Subject: Re: adding gpg to src/gnu/dist
To: None <tech-security@NetBSD.org>
From: Love <firstname.lastname@example.org>
Date: 05/17/2004 20:13:52
Marc Tooley <netbsdMLpostNO@SPAM.quake.ca> writes:
> Am I missing something here? Is this a political decision and I'm just
> mistaking it for a technical one?
I tried to make you (and other pgp people) answer some question I have
I'll try asking them again.
1. How does you solve the problem searching from the trust anchor too the
signer ? Basicly, why should the user be required to fetch key from the
keyserver, and if the user needs to fetch key from the keyserver, how is
the user going to find the keys to fetch to verify a signature ?
2. How do you rewoke a certifiate, ie revoke what you do in gpg speak:
"gpg --edit-key 0xHH\nsign\n...."
3. pgp provides identity, not what the key is supposed to do. sure, the
sigature is supposed be just that, but pushing out policy from the CA
with certifiates are quite useful.
"all certs with code-signing oid is approved by netbsd
core/foundation/developers/whatever to be signer of binary pkgs, you
already trust netbsd ... by using our software"
The question is, how do you intent to distribute policy ?
4. How is certifiates time limited, "Al is releng for a year now"
5. Code quality should not be used as argument when comparing gpg and
openssl, neither of them is pretty inside.
6. I have the code written, including code for policy, where is yours ?
You can handwave as much as you want, but unless there is working code,
its all handwaving, and I don't thin handwaving should stop us from
getting signed packages.
7. If you like pgp so much, why don't you use it to sign your mails ?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (NetBSD)
-----END PGP SIGNATURE-----