| | 1 | General Topics in Public Key Infrastructure (PKI) for OSGeo.org |
| | 2 | |
| | 3 | General Discussion |
| | 4 | |
| | 5 | OSGeo Board has passed a motion to allocate $500 to certificate acquisition |
| | 6 | |
| | 7 | http://lists.osgeo.org/pipermail/board/2015-October/013321.html |
| | 8 | |
| | 9 | Anita Graser has expressed interest in the initiative |
| | 10 | |
| | 11 | jgarnett proposed a motion at the Board level (also represents Boundless community outreach); Michael Smith seconds; Sanghee Shin, Jorge Sanz supporting |
| | 12 | |
| | 13 | darkblue_b proposed participating in the EFF/Mozilla Foundation Let's Encrypt initiative, and generally be modern in setting up server infrastructure for a FOSS dot-org. This prompted an investigation into the acquisition and use of Public Key Infrastructure (PKI) x.509 certificates, a heirarchical trust authority structure, and this wiki page. |
| | 14 | |
| | 15 | wildintellect (current SAC chair) in favor of getting SSL certs for all our websites, if some of those are the Free ones from that initiative that is fine |
| | 16 | |
| | 17 | evenR suggests |
| | 18 | https://fedoraproject.org/wiki/ReleaseEngineering/Projects/SigningServer |
| | 19 | |
| | 20 | the QGis team is interested in Signing Binaries for Mac and Windows |
| | 21 | |
| | 22 | Larry Shaffer is involved in signing binaries, and is working with jgarnett |
| | 23 | |
| | 24 | nhv is observing the process |
| | 25 | |
| | 26 | * Signing Binaries based on the Debian Model |
| | 27 | |
| | 28 | A .dsc file shows some important parts.. checksum on certain things, a name of a person, and lastly the GnuPG PGP Signature |
| | 29 | |
| | 30 | so - one might summarize .. there is a binary file, and a text file that goes with it.. the text file is in a known structure.. |
| | 31 | (.dsc) in that text file are checksums, the name of a person, and a GNU PGP signature.. |
| | 32 | |
| | 33 | * Signing Binaries on the LocationTech model |
| | 34 | |
| | 35 | LocationTech says in their handbook |
| | 36 | http://www.eclipse.org/projects/handbook/locationtech.html |
| | 37 | |
| | 38 | Signed Artifacts |
| | 39 | |
| | 40 | Where technically sensible, all downloadable artifacts should be signed |
| | 41 | <https://wiki.eclipse.org/JAR_Signing> by an Eclipse Foundation-provided |
| | 42 | certificate. |
| | 43 | |
| | 44 | |
| | 45 | * HTTPS using Lets Encrypt |
| | 46 | |
| | 47 | darkblue_b sez' Board Members, List Members, all - |
| | 48 | |
| | 49 | Today I asked Yuvi Panda, lead dev at Wikimedia Labs, a |
| | 50 | participatory collection of open infrastructure and FOSS supporters, |
| | 51 | what they are using for their certificate ecosystem. Here is the reply: |
| | 52 | |
| | 53 | YuviPanda : |
| | 54 | we just use globalsign, which isn't ideal but oh well. |
| | 55 | we're waiting for lets-encrypt, and that's hopefully possible next month |
| | 56 | lets-encrypt is from mozilla and eff and probably saner ( ed. |
| | 57 | ..than the FSF idea ) |
| | 58 | |
| | 59 | regarding the Free Software Foundation as an upstream Certificate Authority: |
| | 60 | |
| | 61 | FSF isn't a CA and I don't think they have any intention of being one |
| | 62 | |
| | 63 | |
| | 64 | |
| | 65 | * Generating Internal Certificates with openssl |
