wiki:Signing

General Topics in Public Key Infrastructure (PKI) for OSGeo.org

General Discussion

Anita Graser and the QGis Team are interested in signing binaries

jgarnett proposed a motion at the Board level (also represents Boundless community outreach); OSGeo Board approved the following motion on 2015-10-29:

Authorize up to $500 USD/annual for the SAC to obtain signing
certificates
for use by OSGeo projects (as per request of the QGIS PSC). Larry Shaffer
has agreed to join the SAC committee to facilitate this activity.

darkblue_b proposed participating in the EFF/Mozilla Foundation Let's Encrypt initiative, and generally be modern in setting up server infrastructure for a FOSS dot-org. This prompted an investigation into the acquisition and use of Public Key Infrastructure (PKI) x.509 certificates (a hierarchical trust authority structure), Debian-style package signing, and this wiki page.

wildintellect (current SAC chair) in favor of getting SSL certs for all our websites, if some of those are the Free ones from the Lets Encrypt initiative, that is fine

evenR points to:

https://fedoraproject.org/wiki/ReleaseEngineering/Projects/SigningServer

Larry Shaffer joins SAC for the purposes of this project

nhv is observing

jmckenna plays strong defense as the project evolves


darkblue_b comments: I believe there are at least several, related topics here: OSGeo.org Signing binaries in an official capacity; TLS certificates for web sites to enable modern, safe browsing; OSGeo SAC internal methods to authenticate users and machines within the OSGeo server architecture; OSGeo SAC Roadmap and implementation of chosen activities; OSGeo Board decisions of priorities, funding, and formal external alliances, both explicit and implicit.

Note that Globalsign sponsors certificates for FOSS-related non-profits; both Wikimedia Foundation and the Debian Project use GlobalSign? as their Certificate Authority (CA)

After consultations and some research, I believe OSGeo can use the Debian project method of signing with a GNU PGP key, and put the LocationTech? method with a certificate authority as something to be looked into... Generally, I support jgarnett in using money and authoritative signatures for OSGeo projects, but it looks like it is not a requirement to proceed.

The following sections attempts to address various sections. This document is under construction.

Signing Binaries

Debian Model

https://ftp-master.debian.org/keys.html

https://wiki.debian.org/SecureApt#Signed_Release_files

a copy of the archive signing key (and revocation certificate) is spread over m-out-of-n secret sharing. The archive signing key sits on a computer where it actually signs packages; actual security measures surrounding it To-Be-Investigated

A .dsc file shows some important parts.. checksum on certain things, a name of a person, and lastly the GnuPG PGP Signature

so - one might summarize .. there is a binary file, and a text file that goes with it.. the text file is in a known structure.. (.dsc) in that text file are checksums, the name of a person, and a GNU PGP signature..

LocationTech? model

LocationTech? says in their handbook http://www.eclipse.org/projects/handbook/locationtech.html

  ...
  Signed Artifacts

  Where technically sensible, all downloadable artifacts should be signed
<https://wiki.eclipse.org/JAR_Signing>  by an Eclipse Foundation-provided
certificate.

HTTPS using Lets Encrypt

general first inquiry to Yuvi Panda AT Wikimedia-Labs

Board Members, List Members, all -

  Today I asked Yuvi Panda, lead dev at Wikimedia Labs, a 
participatory collection of open infrastructure and FOSS supporters, 
what they are using for their certificate ecosystem. Here is the reply:

YuviPanda :
  we just use globalsign, which isn't ideal but oh well. 
  we're waiting for lets-encrypt, and that's hopefully possible next month
  lets-encrypt is from mozilla and eff and probably saner  ( ed.   
..than the FSF idea )

regarding the Free Software Foundation as an upstream Certificate Authority:

  FSF isn't a CA and I don't think they have any intention of being one

Date: Tue, 03 Nov 2015 10:54:01 -0800
From: Brian M Hamlin <maplabs AT light42.com>
Reply-To: Brian M Hamlin <maplabs AT light42.com>
Subject: Re: Let's Encrypt
To: Seth David Schoen <schoen AT eff.org>
Cc: larrys AT dakotacarto.com

Hi Seth -

  I wrote to Peter (Eckersley, Chief Computer Scientist for the Electronic Frontier Foundation ed.) very shortly after our email exchange, but I have not heard anything back. Basically, I can sum up our inquiry this way:


  * OSGeo.org wants to participate in  Let's Encrypt

  * OSGeo.org may want to purchase PKI certificates from a Certificate Authority, to sign binaries for WIndows and Mac

      which CA to choose ?

  * in general, PKI certificates in line with your current thinking while we setup some new servers  (mainly at OSUOSL)

 

thanks --Brian



On Tue, 20 Oct 2015 11:19:23 -0700, Seth David Schoen <schoen AT eff.org> wrote:

    Hi Brian,

    Thanks for your interest in Let's Encrypt! I'm on sabbatical so you
    should probably try Peter Eckersley <pde@eff.org> if you have further
    questions.

    I hope Let's Encrypt can be useful to OSGeo, but in answer to your
    question, we're planning to do only TLS server certificates and not
    any other kind of certificate (for example, we're not planning to
    offer code signing certificates). All of our certificates will be
    Domain Validation only and will be free of charge. They should be
    available to the public during the week of November 21, and there's
    a beta program now that's going to be issuing live certificates to
    users before then. It should still be possible to join the beta,
    but I can't guarantee how soon before general availability you would
    end up getting access (it might even turn out to be around the time
    of general availability).

    -- 
    Seth Schoen <schoen AT eff.org>
    Senior Staff Technologist https://www.eff.org/
    Electronic Frontier Foundation https://www.eff.org/join
    815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x107




--
Brian M Hamlin
OSGeo California Chapter
blog.light42.com

https://wiki.openssl.org

https://letsencrypt.org/

https://www.globalsign.com/en/

https://pki-tutorial.readthedocs.org/en/latest/simple/index.html

https://wiki.openssl.org/index.php/Command_Line_Utilities#Create_.2F_Handle_Public_Key_Certificates

https://github.com/OldCoder/make-openssl-site/blob/master/make-openssl-site.sh

https://en.wikipedia.org/wiki/Transport_Layer_Security

https://en.wikipedia.org/wiki/Public_key_certificate

https://www.dougv.com/2008/09/my-experience-getting-a-code-signing-certificate-from-comodo/

https://blockstream.com/2015/08/24/treesignatures/

Last modified 19 months ago Last modified on Jan 19, 2018 6:44:24 AM