[Open-collaboration-services] Open-collaboration-services Digest, Vol 1, Issue 6
Diego Casella ([Po]lentino)
polentino911 at gmail.com
Fri Jul 30 14:36:59 CEST 2010
2010/7/30 Frank Karlitschek <karlitschek at kde.org>
>
> On 29.07.2010, at 14:15, Diego Casella ([Po]lentino) wrote:
>
> > Message: 2
> > Date: Wed, 28 Jul 2010 21:13:44 +0200
> > From: Frederik Gladhorn <gladhorn at kde.org>
> > Subject: Re: [Open-collaboration-services] [REQUEST] Extend API to
> > support gpg signature
> > To: open-collaboration-services at kde.org
> > Message-ID: <201007282113.52087.gladhorn at kde.org>
> > Content-Type: text/plain; charset="iso-8859-1"
> >
> > On Wednesday 28 July 2010 10:43:42 Frank Karlitschek wrote:
> > > On 27.07.2010, at 09:27, Frederik Gladhorn wrote:
> > > > On Monday 26 July 2010 22:54:29 Frank Karlitschek wrote:
> > > >> On 26.07.2010, at 22:10, Frederik Gladhorn wrote:
> > > >>> Sounds pretty good to me. Signatures are about 200 byte if I'm not
> > > >>> mistaken. I would almost favor to inline them in the content/get
> > > >>> request, so we don't need to make a separate call. Any reason not
> to?
> > > >>
> > > >> I agree. It?s funny, we discussed adding a similar signature field 3
> > > >> weeks ago at Akademy and it is already in the OCS 1.6 draft
> > > >>
> http://www.freedesktop.org/wiki/Specifications/open-collaboration-servic
> > > >> es -draft
> > > >>
> > > >>
> > > >> What do you think? Is this what you need?
> > > >
> > > > Funny, it must have slipped my mind, or I missed that part of the
> > > > discussion (Akademy was total communications overload ;)).
> > > > Anyway, the stuff currently in the spec is a gpg fingerprint, what
> would
> > > > one do with that? I don't get it. Should the package itself be signed
> > > > then with this key?
> > > >
> > > > Diego's gpg-aa signing approach allows verification where the
> download
> > > > comes from, even if the server has been compromised. But only on the
> > > > assumption that the user has the key/is part of the web of trust ...
> > > >
> > > > Do we want/need both?
> > > >
> > > > Cheers
> > > > Frederik
> > >
> > > Sorry. It seams that I?m not awake yet. :-) I don?t get it.
> > >
> > > Which fields do we need and where?
> > >
> > > Can you give me an example perhaps?
> >
> > Diego, can you explain in more detail?
> > gpg fingerprint: id of a gpg key
> > gpg aa signature: signature of one file
> >
> > (see the previous mails on this list for examples)
> >
> > Well, the fingerprint is not essential, since it is automatically
> retrieved after successfully verifying the downloaded package against the
> signature shipped with it (even if the key associated to that signature is
> not present at all in the user's computer). What is really needed in the new
> protocol is a signature field, which will contains the signature data in the
> following format:
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.10 (GNU/Linux)
> >
> > iEYEABECAAYFAkxN6ewACgkQcZKJUy
> > ELiPfZlwCgipEZJjUgf9z3HembEYpVtX9h
> > pfwAn39WOGGcVBYCBaM92xDRStffL7zY
> > =Hudq
> > -----END PGP SIGNATURE-----
> >
> > So, the signature field is essential, otherwise my library won't be able
> to determine the authenticity of the package and his signer.
> > As side note, I previously said that the key fingerprint is not essential
> however, if present, it will speed up the authentication process :)
> >
> >
>
> O.K.
> So we should add a signature field to the xml additionally to the
> gpgfingerprint?
>
> That easy.
>
Awesome :)
>
> What name do you suggest? "gpgsignature"?
>
> +1
gpgsignature looks perfect to me :)
>
> Cheers
> Frank
>
Cheers
Diego.
>
>
> > > > _______________________________________________
> > > > Open-collaboration-services mailing list
> > > > Open-collaboration-services at kde.org
> > > > https://mail.kde.org/mailman/listinfo/open-collaboration-services
> > >
> > > --
> > > Frank Karlitschek
> > > karlitschek at kde.org
> >
> > --
> > H: Who is Watson without Sherlock Holmes?
> > G: Watson was a genius in his own right.
> > _______________________________________________
> > Open-collaboration-services mailing list
> > Open-collaboration-services at kde.org
> > https://mail.kde.org/mailman/listinfo/open-collaboration-services
>
>
> --
> Frank Karlitschek
> karlitschek at kde.org
>
>
>
>
>
--
H: Who is Watson without Sherlock Holmes?
G: Watson was a genius in his own right.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.kde.org/pipermail/open-collaboration-services/attachments/20100730/56bd5e68/attachment.htm
More information about the Open-collaboration-services
mailing list