[Open-collaboration-services] Fwd: Open-collaboration-services Digest, Vol 1, Issue 6

Frank Karlitschek karlitschek at kde.org
Wed Aug 4 17:02:26 CEST 2010


On 31.07.2010, at 11:25, Diego Casella ([Po]lentino) wrote:

> 
> 
> ---------- Forwarded message ----------
> From: Diego Casella ([Po]lentino) <polentino911 at gmail.com>
> Date: 2010/7/31
> Subject: Re: [Open-collaboration-services] Open-collaboration-services Digest, Vol 1, Issue 6
> To: Frank Karlitschek <karlitschek at kde.org>
> 
> 
> 
> 
> 2010/7/30 Frank Karlitschek <karlitschek at kde.org>
> O.K. I updated the spec draft and addad a gpgsignature field.
> 
> Great :) 
> 
> Can you check if it´s O.K. now?
> 
> It's fine, however I think you should modify the example listed in http://www.freedesktop.org/wiki/Specifications/open-collaboration-services-draft#download and replace the "12345679" string with a real signature in order to better describe its content, i.e. 


Sure. The string "123456789" was just dummy content. :-)



> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> 
> iEYEABECAAYFAkxT52oACgkQMNPAbDSMHn/xDQCfSplogMr9x0G0jGpFXWyJX3ZN
> qMUAn3WLVmXADVzWdEToTJ8B5wpdm3zb
> =A6Dy
> -----END PGP SIGNATURE-----
> 
> Thanks again for the improvement,
> have a nice day!
> 
> Diego
> 
> 
> Cheers
> Frank
> 
> 
> On 30.07.2010, at 14:36, Diego Casella ([Po]lentino) wrote:
> 
> >
> >
> > 2010/7/30 Frank Karlitschek <karlitschek at kde.org>
> >
> > On 29.07.2010, at 14:15, Diego Casella ([Po]lentino) wrote:
> >
> > > Message: 2
> > > Date: Wed, 28 Jul 2010 21:13:44 +0200
> > > From: Frederik Gladhorn <gladhorn at kde.org>
> > > Subject: Re: [Open-collaboration-services] [REQUEST] Extend API to
> > >        support gpg signature
> > > To: open-collaboration-services at kde.org
> > > Message-ID: <201007282113.52087.gladhorn at kde.org>
> > > Content-Type: text/plain; charset="iso-8859-1"
> > >
> > > On Wednesday 28 July 2010 10:43:42 Frank Karlitschek wrote:
> > > > On 27.07.2010, at 09:27, Frederik Gladhorn wrote:
> > > > > On Monday 26 July 2010 22:54:29 Frank Karlitschek wrote:
> > > > >> On 26.07.2010, at 22:10, Frederik Gladhorn wrote:
> > > > >>> Sounds pretty good to me. Signatures are about 200 byte if I'm not
> > > > >>> mistaken. I would almost favor to inline them in the content/get
> > > > >>> request, so we don't need to make a separate call. Any reason not to?
> > > > >>
> > > > >> I agree. It?s funny, we discussed adding a similar signature field 3
> > > > >> weeks ago at Akademy and it is already in the OCS 1.6 draft
> > > > >> http://www.freedesktop.org/wiki/Specifications/open-collaboration-servic
> > > > >> es -draft
> > > > >>
> > > > >>
> > > > >> What do you think? Is this what you need?
> > > > >
> > > > > Funny, it must have slipped my mind, or I missed that part of the
> > > > > discussion (Akademy was total communications overload ;)).
> > > > > Anyway, the stuff currently in the spec is a gpg fingerprint, what would
> > > > > one do with that? I don't get it. Should the package itself be signed
> > > > > then with this key?
> > > > >
> > > > > Diego's gpg-aa signing approach allows verification where the download
> > > > > comes from, even if the server has been compromised. But only on the
> > > > > assumption that the user has the key/is part of the web of trust ...
> > > > >
> > > > > Do we want/need both?
> > > > >
> > > > > Cheers
> > > > > Frederik
> > > >
> > > > Sorry. It seams that I?m not awake yet. :-) I don?t get it.
> > > >
> > > > Which fields do we need and where?
> > > >
> > > > Can you give me an example perhaps?
> > >
> > > Diego, can you explain in more detail?
> > > gpg fingerprint: id of a gpg key
> > > gpg aa signature: signature of one file
> > >
> > > (see the previous mails on this list for examples)
> > >
> > > Well, the fingerprint is not essential, since it is automatically retrieved after successfully verifying the downloaded package against the signature shipped with it (even if the key associated to that signature is not present at all in the user's computer). What is really needed in the new protocol is a signature field, which will contains the signature data in the following format:
> > >
> > > -----BEGIN PGP SIGNATURE-----
> > > Version: GnuPG v1.4.10 (GNU/Linux)
> > >
> > > iEYEABECAAYFAkxN6ewACgkQcZKJUy
> > > ELiPfZlwCgipEZJjUgf9z3HembEYpVtX9h
> > > pfwAn39WOGGcVBYCBaM92xDRStffL7zY
> > > =Hudq
> > > -----END PGP SIGNATURE-----
> > >
> > > So, the signature field is essential, otherwise my library won't be able to determine the authenticity of the package and his signer.
> > > As side note, I previously said that the key fingerprint is not essential however, if present, it will speed up the authentication process :)
> > >
> > >
> >
> > O.K.
> > So we should add a signature field to the xml additionally to the gpgfingerprint?
> >
> > That easy.
> >
> > Awesome :)
> >
> > What name do you suggest?  "gpgsignature"?
> >
> > +1
> > gpgsignature looks perfect to me :)
> >
> > Cheers
> > Frank
> >
> > Cheers
> > Diego.
> >
> >
> > > > > _______________________________________________
> > > > > Open-collaboration-services mailing list
> > > > > Open-collaboration-services at kde.org
> > > > > https://mail.kde.org/mailman/listinfo/open-collaboration-services
> > > >
> > > > --
> > > > Frank Karlitschek
> > > > karlitschek at kde.org
> > >
> > > --
> > > H: Who is Watson without Sherlock Holmes?
> > > G: Watson was a genius in his own right.
> > > _______________________________________________
> > > Open-collaboration-services mailing list
> > > Open-collaboration-services at kde.org
> > > https://mail.kde.org/mailman/listinfo/open-collaboration-services
> >
> >
> > --
> > Frank Karlitschek
> > karlitschek at kde.org
> >
> >
> >
> >
> >
> >
> >
> > --
> > H: Who is Watson without Sherlock Holmes?
> > G: Watson was a genius in his own right.
> 
> 
> --
> Frank Karlitschek
> karlitschek at kde.org
> 
> 
> 
> 
> 
> 
> 
> -- 
> H: Who is Watson without Sherlock Holmes?
> G: Watson was a genius in his own right.
> 
> 
> 
> -- 
> H: Who is Watson without Sherlock Holmes?
> G: Watson was a genius in his own right.
> _______________________________________________
> Open-collaboration-services mailing list
> Open-collaboration-services at kde.org
> https://mail.kde.org/mailman/listinfo/open-collaboration-services


--
Frank Karlitschek
karlitschek at kde.org






More information about the Open-collaboration-services mailing list