General Topics in Public Key Infrastructure (PKI) for OSGeo.org
General Discussion
Anita Graser and the QGis Team are interested in signing binaries
jgarnett proposed a motion at the Board level (also represents Boundless community outreach); OSGeo Board approved the following motion on 2015-10-29:
Authorize up to $500 USD/annual for the SAC to obtain signing certificates for use by OSGeo projects (as per request of the QGIS PSC). Larry Shaffer has agreed to join the SAC committee to facilitate this activity.
darkblue_b proposed participating in the EFF/Mozilla Foundation Let's Encrypt initiative, and generally be modern in setting up server infrastructure for a FOSS dot-org. This prompted an investigation into the acquisition and use of Public Key Infrastructure (PKI) x.509 certificates (a hierarchical trust authority structure), Debian-style package signing, and this wiki page.
wildintellect (current SAC chair) in favor of getting SSL certs for all our websites, if some of those are the Free ones from the Lets Encrypt initiative, that is fine
evenR points to:
https://fedoraproject.org/wiki/ReleaseEngineering/Projects/SigningServer
Larry Shaffer joins SAC for the purposes of this project
nhv is observing
jmckenna plays strong defense as the project evolves
darkblue_b comments: I believe there are at least several, related topics here: OSGeo.org Signing binaries in an official capacity; TLS certificates for web sites to enable modern, safe browsing; OSGeo SAC internal methods to authenticate users and machines within the OSGeo server architecture; OSGeo SAC Roadmap and implementation of chosen activities; OSGeo Board decisions of priorities, funding, and formal external alliances, both explicit and implicit.
Note that Globalsign sponsors certificates for FOSS-related non-profits; both Wikimedia Foundation and the Debian Project use GlobalSign as their Certificate Authority (CA)
After consultations and some research, I believe OSGeo can use the Debian project method of signing with a GNU PGP key, and put the LocationTech method with a certificate authority as something to be looked into... Generally, I support jgarnett in using money and authoritative signatures for OSGeo projects, but it looks like it is not a requirement to proceed.
The following sections attempts to address various sections. This document is under construction.
Signing Binaries
Debian Model
https://ftp-master.debian.org/keys.html
https://wiki.debian.org/SecureApt#Signed_Release_files
a copy of the archive signing key (and revocation certificate) is spread over m-out-of-n secret sharing. The archive signing key sits on a computer where it actually signs packages; actual security measures surrounding it To-Be-Investigated
A .dsc file shows some important parts.. checksum on certain things, a name of a person, and lastly the GnuPG PGP Signature
so - one might summarize .. there is a binary file, and a text file that goes with it.. the text file is in a known structure.. (.dsc) in that text file are checksums, the name of a person, and a GNU PGP signature..
LocationTech model
LocationTech says in their handbook http://www.eclipse.org/projects/handbook/locationtech.html
... Signed Artifacts Where technically sensible, all downloadable artifacts should be signed <https://wiki.eclipse.org/JAR_Signing> by an Eclipse Foundation-provided certificate.
HTTPS using Lets Encrypt
general first inquiry to Yuvi Panda AT Wikimedia-Labs
Board Members, List Members, all - Today I asked Yuvi Panda, lead dev at Wikimedia Labs, a participatory collection of open infrastructure and FOSS supporters, what they are using for their certificate ecosystem. Here is the reply: YuviPanda : we just use globalsign, which isn't ideal but oh well. we're waiting for lets-encrypt, and that's hopefully possible next month lets-encrypt is from mozilla and eff and probably saner ( ed. ..than the FSF idea ) regarding the Free Software Foundation as an upstream Certificate Authority: FSF isn't a CA and I don't think they have any intention of being one
Date: Tue, 03 Nov 2015 10:54:01 -0800 From: Brian M Hamlin <maplabs AT light42.com> Reply-To: Brian M Hamlin <maplabs AT light42.com> Subject: Re: Let's Encrypt To: Seth David Schoen <schoen AT eff.org> Cc: larrys AT dakotacarto.com Hi Seth - I wrote to Peter (Eckersley, Chief Computer Scientist for the Electronic Frontier Foundation ed.) very shortly after our email exchange, but I have not heard anything back. Basically, I can sum up our inquiry this way: * OSGeo.org wants to participate in Let's Encrypt * OSGeo.org may want to purchase PKI certificates from a Certificate Authority, to sign binaries for WIndows and Mac which CA to choose ? * in general, PKI certificates in line with your current thinking while we setup some new servers (mainly at OSUOSL) thanks --Brian On Tue, 20 Oct 2015 11:19:23 -0700, Seth David Schoen <schoen AT eff.org> wrote: Hi Brian, Thanks for your interest in Let's Encrypt! I'm on sabbatical so you should probably try Peter Eckersley <pde@eff.org> if you have further questions. I hope Let's Encrypt can be useful to OSGeo, but in answer to your question, we're planning to do only TLS server certificates and not any other kind of certificate (for example, we're not planning to offer code signing certificates). All of our certificates will be Domain Validation only and will be free of charge. They should be available to the public during the week of November 21, and there's a beta program now that's going to be issuing live certificates to users before then. It should still be possible to join the beta, but I can't guarantee how soon before general availability you would end up getting access (it might even turn out to be around the time of general availability). -- Seth Schoen <schoen AT eff.org> Senior Staff Technologist https://www.eff.org/ Electronic Frontier Foundation https://www.eff.org/join 815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x107 -- Brian M Hamlin OSGeo California Chapter blog.light42.com
Misc Links
https://www.globalsign.com/en/
https://pki-tutorial.readthedocs.org/en/latest/simple/index.html
https://wiki.openssl.org/index.php/Command_Line_Utilities#Create_.2F_Handle_Public_Key_Certificates
https://github.com/OldCoder/make-openssl-site/blob/master/make-openssl-site.sh
https://en.wikipedia.org/wiki/Transport_Layer_Security
https://en.wikipedia.org/wiki/Public_key_certificate
https://www.dougv.com/2008/09/my-experience-getting-a-code-signing-certificate-from-comodo/