On Tue, May 18, 2004 at 02:04:07PM -0400, Thor Lancelot Simon wrote:
> 
> Right, to me this is why X.509 seems like the obvious way to go.
> 
> Once you have installed the operating system for the first time, ideally
> the rest of the work should be done by programs, possibly even in the
> background without you explicitly invoking them for each update.  And
[...]
> What it might be entirely reasonable to use PGP/GPG for would be detached
> signatures of the initial OS install media.  This is where you'd get the
> NetBSD CA certificate; it is your introduction to the hierarchy of trust
> that controls the rest of your use of the system (signed or not, you're
> trusting us as soon as you install our software; you can't really avoid
> that).  So it might be nice to let others provide PGP signatures to assure
> you that, in fact, the CA certificate and executables you're about to
> bootstrap yourself with are, indeed, from the people you think they're
> from.  I would support that alongside use of X.509 signatures for update
> and package installation within the OS.

I'm sorry, I guess I wasn't very clear.  One thing I was trying to get at
is that in the "initial fetch and install of OS" case, a human *must*
be involved; a human is available to make decisions, to interpret text
like "RELEASE SIGNING KEY" in the name of a PGP key; to adjust trust
levels; to look for additional signatures; and so forth.  This is one of
the reasons, it seems to me (along with the fact that we could easily
arrange to do it) that providing GPG signatures of release images would 
be a reasonable thing to do.

On the other hand, once you've got the OS up and running, for the reasons
I gave earlier in my previous message, I think that X.509 is clearly the
way to go.

Thor