<br><br><div class="gmail_quote">2010/7/26 Frank Karlitschek <span dir="ltr"><<a href="mailto:karlitschek@kde.org">karlitschek@kde.org</a>></span><br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
Hi Diego,<br>
<br>
thats a great idea. We can add a signature extension to the API as you suggested,<br>
Do you have a specification or a more detailed description how this system should work?<br></blockquote><div> <br>This is my use-case for plasmoid authentication, but it will most likely be extended for any type of package, let it be a theme, a wallpaper plugin or whatever else.<br>
Case #1: download scenario:<br>* The user opens the KHNS widget;<br>* the widget retrieves the packages infos, along with its signature field in an ascii-armored format (if any);<br>* the widget start checking the signatures, displaying for each item the corresponding level of trust(good/bad/invalid sig etc..);<br>
* the user decides whether downloading the package or not.<br><br>Case #2: upload scenario:<br>* the developers want to upload its cool new package, and confirm the authenticity of its product;<br>* he signs the package with its private gpg key, and then opens the KHNS Upload dialog;<br>
* he selects the package and the signature to upload, and then sends them to the service provider.<br><br>As you can see, the most of the work is being done from the client-side. What I need is simply a the possibility to have an extra field called "signature" used to send it along with the package, that's all :) Then, the client app will take care of authenticating it.<br>
What's your opinion about it? Does it makes sense?<br><br>Cheers, <br><br>Diego.<br><br></div><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<br>
I can help you with a testserver as soon as we agree on the specification.<br>
<br>
<br>
Cheers<br>
Frank<br>
<div><div></div><div class="h5"><br>
<br>
<br>
<br>
On 26.07.2010, at 11:56, Diego Casella ([Po]lentino) wrote:<br>
<br>
> Hello guys,<br>
><br>
> as you should know, this summer I'm working on the authentication of downloaded plasmoids by verifying their signatures with the keys in the user keyring, and show their "TrustLevel" in the Download Plasmoid dialog. However, to make it work correctly, I need the server to be extended in order to handle sending and receiving detached, ascii-armored, signatures. Besides, talking with Frederik, he wants this feature more general and not restricted to plasmoids-only, in order to give the user a level of trust about what he/she is going to download from the web. For these reasons, gpg signature support would a great improvement to the existing api.<br>
> What do you think about it ?<br>
> Regards,<br>
><br>
> Diego.<br>
><br>
> --<br>
> H: Who is Watson without Sherlock Holmes?<br>
> G: Watson was a genius in his own right.<br>
</div></div>> _______________________________________________<br>
> Open-collaboration-services mailing list<br>
> <a href="mailto:Open-collaboration-services@kde.org">Open-collaboration-services@kde.org</a><br>
> <a href="https://mail.kde.org/mailman/listinfo/open-collaboration-services" target="_blank">https://mail.kde.org/mailman/listinfo/open-collaboration-services</a><br>
<font color="#888888"><br>
<br>
--<br>
Frank Karlitschek<br>
<a href="mailto:karlitschek@kde.org">karlitschek@kde.org</a><br>
<br>
<br>
<br>
<br>
</font></blockquote></div><br><br clear="all"><br>-- <br>H: Who is Watson without Sherlock Holmes?<br>G: Watson was a genius in his own right.<br>