Subject: Re: adding gpg to src/gnu/dist
To: None <tech-security@NetBSD.org>
From: Love <lha@stacken.kth.se>
List: tech-userlevel
Date: 05/18/2004 19:06:37
--=-=-=


Marc Tooley <netbsdMLpostNO@SPAM.quake.ca> writes:

>> 3. pgp provides identity, not what the key is supposed to do. sure,
>> the sigature is supposed be just that, but pushing out policy from
>> the CA with certifiates are quite useful.
>>
>>    "all certs with code-signing oid is approved by netbsd
>>    core/foundation/developers/whatever to be signer of binary pkgs,
>> you already trust netbsd ... by using our software"
>>
>>    The question is, how do you intent to distribute policy ?
>
> If a security bulletin is signed by a key marked "System Distribution" 
> then it clearly says, "This is signed by known key 0x12134, System 
> Distribution Manager" I think users would notice.

My pkgsrc tree have N packages, should humans verify all text strings for
each of them.

It might not be a human at the end of the pkg_add program, its might be
another program (update-pkg.sh via cron). Thus the policy needs to machine
parseable.

>> 4. How is certifiates time limited, "Al is releng for a year now"
>
> GPG keys have a lifetime on them, you can expire them in X days no 
> problem.

But not sigatures of keys ? That is just fine for pgp, since pgp is signing
identities, not roles.

>> 5. Code quality should not be used as argument when comparing gpg and
>>    openssl, neither of them is pretty inside.
>
> The implication was, earlier in the thread, that GPG has a "messier" 
> user interface when I don't think that is true.

Yes, they are about equally bad.

> I've already said I have no code. In fact, I very specifically stated, 
> "Just my opinion. No code flows from me so of course opinion it'll 
> stay, but there it is." Nice term, that..  hand waving I mean. Thanks.

Thank you yourself, I got to know more about pgp that I missed when i read
the PGP RFC.

Love


--=-=-=
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (NetBSD)

iQEVAwUAQKpCnnW+NPVfDpmCAQLg+Qf/bUk0CNzI2lZhE6wXOb85wtHm/nXJKw1U
R5f1P/HU5S4PG/iY1CVxxhLIpcy7AdL9rzQSvTF8ARFlR8fmQzbUaX8w4t7WS/op
TiVqDFnidJeIngNDAQbmCCpmbLL71NyduV6qiKRG5merDiKcMAym8gBMsj1vKPMN
+JAuVoB4UEQpqmwygPXxw+GX+PviSNPv4bnoOFy+3VK6OWBRvGy81G/MfG7Vxafu
r2WkxyKeZX8QLnAb0eddX26HXjWg5pF3T1b9D5LVsz9GUhI1WPXRhxMXadFi0Tqf
gCqfXE/YCyEgAuY5w8fT/uofWp1Ozv2gA9GK511J059uh18eI0mSIw==
=MUg/
-----END PGP SIGNATURE-----
--=-=-=--