| 1 | General Topics in Public Key Infrastructure (PKI) for OSGeo.org |
| 2 | |
| 3 | General Discussion |
| 4 | |
| 5 | OSGeo Board has passed a motion to allocate $500 to certificate acquisition |
| 6 | |
| 7 | http://lists.osgeo.org/pipermail/board/2015-October/013321.html |
| 8 | |
| 9 | Anita Graser has expressed interest in the initiative |
| 10 | |
| 11 | jgarnett proposed a motion at the Board level (also represents Boundless community outreach); Michael Smith seconds; Sanghee Shin, Jorge Sanz supporting |
| 12 | |
| 13 | darkblue_b proposed participating in the EFF/Mozilla Foundation Let's Encrypt initiative, and generally be modern in setting up server infrastructure for a FOSS dot-org. This prompted an investigation into the acquisition and use of Public Key Infrastructure (PKI) x.509 certificates, a heirarchical trust authority structure, and this wiki page. |
| 14 | |
| 15 | wildintellect (current SAC chair) in favor of getting SSL certs for all our websites, if some of those are the Free ones from that initiative that is fine |
| 16 | |
| 17 | evenR suggests |
| 18 | https://fedoraproject.org/wiki/ReleaseEngineering/Projects/SigningServer |
| 19 | |
| 20 | the QGis team is interested in Signing Binaries for Mac and Windows |
| 21 | |
| 22 | Larry Shaffer is involved in signing binaries, and is working with jgarnett |
| 23 | |
| 24 | nhv is observing the process |
| 25 | |
| 26 | * Signing Binaries based on the Debian Model |
| 27 | |
| 28 | A .dsc file shows some important parts.. checksum on certain things, a name of a person, and lastly the GnuPG PGP Signature |
| 29 | |
| 30 | so - one might summarize .. there is a binary file, and a text file that goes with it.. the text file is in a known structure.. |
| 31 | (.dsc) in that text file are checksums, the name of a person, and a GNU PGP signature.. |
| 32 | |
| 33 | * Signing Binaries on the LocationTech model |
| 34 | |
| 35 | LocationTech says in their handbook |
| 36 | http://www.eclipse.org/projects/handbook/locationtech.html |
| 37 | |
| 38 | Signed Artifacts |
| 39 | |
| 40 | Where technically sensible, all downloadable artifacts should be signed |
| 41 | <https://wiki.eclipse.org/JAR_Signing> by an Eclipse Foundation-provided |
| 42 | certificate. |
| 43 | |
| 44 | |
| 45 | * HTTPS using Lets Encrypt |
| 46 | |
| 47 | darkblue_b sez' Board Members, List Members, all - |
| 48 | |
| 49 | Today I asked Yuvi Panda, lead dev at Wikimedia Labs, a |
| 50 | participatory collection of open infrastructure and FOSS supporters, |
| 51 | what they are using for their certificate ecosystem. Here is the reply: |
| 52 | |
| 53 | YuviPanda : |
| 54 | we just use globalsign, which isn't ideal but oh well. |
| 55 | we're waiting for lets-encrypt, and that's hopefully possible next month |
| 56 | lets-encrypt is from mozilla and eff and probably saner ( ed. |
| 57 | ..than the FSF idea ) |
| 58 | |
| 59 | regarding the Free Software Foundation as an upstream Certificate Authority: |
| 60 | |
| 61 | FSF isn't a CA and I don't think they have any intention of being one |
| 62 | |
| 63 | |
| 64 | |
| 65 | * Generating Internal Certificates with openssl |