[Open-collaboration-services] Fwd: Open-collaboration-services Digest, Vol 1, Issue 6

Sat Jul 31 11:25:55 CEST 2010

---------- Forwarded message ----------
From: Diego Casella ([Po]lentino) <polentino911 at gmail.com>
Date: 2010/7/31
Subject: Re: [Open-collaboration-services] Open-collaboration-services
Digest, Vol 1, Issue 6
To: Frank Karlitschek <karlitschek at kde.org>

2010/7/30 Frank Karlitschek <karlitschek at kde.org>

> O.K. I updated the spec draft and addad a gpgsignature field.
>

Great :)

>
> Can you check if it´s O.K. now?
>
> It's fine, however I think you should modify the example listed in
http://www.freedesktop.org/wiki/Specifications/open-collaboration-services-draft#downloadand
replace the "12345679" string with a real signature in order to better
describe its content, i.e.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEABECAAYFAkxT52oACgkQMNPAbDSMHn/xDQCfSplogMr9x0G0jGpFXWyJX3ZN
qMUAn3WLVmXADVzWdEToTJ8B5wpdm3zb
=A6Dy
-----END PGP SIGNATURE-----

Thanks again for the improvement,
have a nice day!

Diego

> Cheers
> Frank
>
>
> On 30.07.2010, at 14:36, Diego Casella ([Po]lentino) wrote:
>
> >
> >
> > 2010/7/30 Frank Karlitschek <karlitschek at kde.org>
> >
> > On 29.07.2010, at 14:15, Diego Casella ([Po]lentino) wrote:
> >
> > > Message: 2
> > > Date: Wed, 28 Jul 2010 21:13:44 +0200
> > > From: Frederik Gladhorn <gladhorn at kde.org>
> > > Subject: Re: [Open-collaboration-services] [REQUEST] Extend API to
> > >        support gpg signature
> > > To: open-collaboration-services at kde.org
> > > Message-ID: <201007282113.52087.gladhorn at kde.org>
> > > Content-Type: text/plain; charset="iso-8859-1"
> > >
> > > On Wednesday 28 July 2010 10:43:42 Frank Karlitschek wrote:
> > > > On 27.07.2010, at 09:27, Frederik Gladhorn wrote:
> > > > > On Monday 26 July 2010 22:54:29 Frank Karlitschek wrote:
> > > > >> On 26.07.2010, at 22:10, Frederik Gladhorn wrote:
> > > > >>> Sounds pretty good to me. Signatures are about 200 byte if I'm
> not
> > > > >>> mistaken. I would almost favor to inline them in the content/get
> > > > >>> request, so we don't need to make a separate call. Any reason not
> to?
> > > > >>
> > > > >> I agree. It?s funny, we discussed adding a similar signature field
> 3
> > > > >> weeks ago at Akademy and it is already in the OCS 1.6 draft
> > > > >>
> http://www.freedesktop.org/wiki/Specifications/open-collaboration-servic
> > > > >> es -draft
> > > > >>
> > > > >>
> > > > >> What do you think? Is this what you need?
> > > > >
> > > > > Funny, it must have slipped my mind, or I missed that part of the
> > > > > discussion (Akademy was total communications overload ;)).
> > > > > Anyway, the stuff currently in the spec is a gpg fingerprint, what
> would
> > > > > one do with that? I don't get it. Should the package itself be
> signed
> > > > > then with this key?
> > > > >
> > > > > Diego's gpg-aa signing approach allows verification where the
> download
> > > > > comes from, even if the server has been compromised. But only on
> the
> > > > > assumption that the user has the key/is part of the web of trust
> ...
> > > > >
> > > > > Do we want/need both?
> > > > >
> > > > > Cheers
> > > > > Frederik
> > > >
> > > > Sorry. It seams that I?m not awake yet. :-) I don?t get it.
> > > >
> > > > Which fields do we need and where?
> > > >
> > > > Can you give me an example perhaps?
> > >
> > > Diego, can you explain in more detail?
> > > gpg fingerprint: id of a gpg key
> > > gpg aa signature: signature of one file
> > >
> > > (see the previous mails on this list for examples)
> > >
> > > Well, the fingerprint is not essential, since it is automatically
> retrieved after successfully verifying the downloaded package against the
> signature shipped with it (even if the key associated to that signature is
> not present at all in the user's computer). What is really needed in the new
> protocol is a signature field, which will contains the signature data in the
> following format:
> > >
> > > -----BEGIN PGP SIGNATURE-----
> > > Version: GnuPG v1.4.10 (GNU/Linux)
> > >
> > > iEYEABECAAYFAkxN6ewACgkQcZKJUy
> > > ELiPfZlwCgipEZJjUgf9z3HembEYpVtX9h
> > > pfwAn39WOGGcVBYCBaM92xDRStffL7zY
> > > =Hudq
> > > -----END PGP SIGNATURE-----
> > >
> > > So, the signature field is essential, otherwise my library won't be
> able to determine the authenticity of the package and his signer.
> > > As side note, I previously said that the key fingerprint is not
> essential however, if present, it will speed up the authentication process
> :)
> > >
> > >
> >
> > O.K.
> > So we should add a signature field to the xml additionally to the
> gpgfingerprint?
> >
> > That easy.
> >
> > Awesome :)
> >
> > What name do you suggest?  "gpgsignature"?
> >
> > +1
> > gpgsignature looks perfect to me :)
> >
> > Cheers
> > Frank
> >
> > Cheers
> > Diego.
> >
> >
> > > > > _______________________________________________
> > > > > Open-collaboration-services mailing list
> > > > > Open-collaboration-services at kde.org
> > > > > https://mail.kde.org/mailman/listinfo/open-collaboration-services
> > > >
> > > > --
> > > > Frank Karlitschek
> > > > karlitschek at kde.org
> > >
> > > --
> > > H: Who is Watson without Sherlock Holmes?
> > > G: Watson was a genius in his own right.
> > > _______________________________________________
> > > Open-collaboration-services mailing list
> > > Open-collaboration-services at kde.org
> > > https://mail.kde.org/mailman/listinfo/open-collaboration-services
> >
> >
> > --
> > Frank Karlitschek
> > karlitschek at kde.org
> >
> >
> >
> >
> >
> >
> >
> > --
> > H: Who is Watson without Sherlock Holmes?
> > G: Watson was a genius in his own right.
>
>
> --
> Frank Karlitschek
> karlitschek at kde.org
>
>
>
>
>

-- 
H: Who is Watson without Sherlock Holmes?
G: Watson was a genius in his own right.

-- 
H: Who is Watson without Sherlock Holmes?
G: Watson was a genius in his own right.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.kde.org/pipermail/open-collaboration-services/attachments/20100731/b072694e/attachment.htm 