tech-security: Re: adding gpg to src/gnu/dist

Subject: Re: adding gpg to src/gnu/dist
To: None <tech-security@NetBSD.org>
From: Love <lha@stacken.kth.se>
List: tech-security
Date: 05/17/2004 20:13:52
--=-=-=


Marc Tooley <netbsdMLpostNO@SPAM.quake.ca> writes:

> Am I missing something here? Is this a political decision and I'm just 
> mistaking it for a technical one?

I tried to make you (and other pgp people) answer some question I have
about pgp.

Message-ID: <amekpndyej.fsf@nutcracker.stacken.kth.se>
Message-ID: <amvfiyje74.fsf@nutcracker.stacken.kth.se>

I'll try asking them again.

1. How does you solve the problem searching from the trust anchor too the
   signer ? Basicly, why should the user be required to fetch key from the
   keyserver, and if the user needs to fetch key from the keyserver, how is
   the user going to find the keys to fetch to verify a signature ?

2. How do you rewoke a certifiate, ie revoke what you do in gpg speak:
   "gpg --edit-key 0xHH\nsign\n...."

3. pgp provides identity, not what the key is supposed to do. sure, the
   sigature is supposed be just that, but pushing out policy from the CA
   with certifiates are quite useful.

   "all certs with code-signing oid is approved by netbsd
   core/foundation/developers/whatever to be signer of binary pkgs, you
   already trust netbsd ... by using our software"

   The question is, how do you intent to distribute policy ?

4. How is certifiates time limited, "Al is releng for a year now"

5. Code quality should not be used as argument when comparing gpg and
   openssl, neither of them is pretty inside.

6. I have the code written, including code for policy, where is yours ?
   You can handwave as much as you want, but unless there is working code,
   its all handwaving, and I don't thin handwaving should stop us from
   getting signed packages.

7. If you like pgp so much, why don't you use it to sign your mails ?

Love


--=-=-=
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (NetBSD)

iQEVAwUAQKkA4XW+NPVfDpmCAQLlUQgAr5XbpgSwS5SUsWirOQ8XzG3yJsolZMCh
iWKSOoxr9iilkX/U4/OpWFIz51Fjl3sq22GGR1rGy3wr5ItDSYS4oOfWSs0GkHRl
hzGsgI7ZymYMboMyw7j3wwShlo4ktQekjy+xDLE/dBC0JXvX5oGzDU1HgdhSqUBT
BeE3o2CQk4fI7j/4IO3suOwyLXMkMtdLjGW63WPX7e+zFwHNrd64MFMyYc3LY4hk
Q5pXsvs/zsycNsp8ckHKYIL3w64ZJR5R/NYM+Q2OFeqruXweYPLFbt/q/RZdQECL
9S4cVCwocje02+N6PsXoEveM6zNMqVYdiycJLjYsDubK+9pW52ZRFw==
=ukAo
-----END PGP SIGNATURE-----
--=-=-=--