Changes between Initial Version and Version 1 of Signing


Ignore:
Timestamp:
Nov 5, 2015, 10:38:46 AM (9 years ago)
Author:
darkblueb
Comment:

first commit

Legend:

Unmodified
Added
Removed
Modified
  • Signing

    v1 v1  
     1General Topics in Public Key Infrastructure (PKI) for OSGeo.org
     2
     3General Discussion
     4
     5OSGeo Board has passed a motion to allocate $500 to certificate acquisition
     6
     7http://lists.osgeo.org/pipermail/board/2015-October/013321.html
     8
     9Anita Graser has expressed interest in the initiative
     10
     11jgarnett  proposed a motion at the Board level (also represents Boundless community outreach); Michael Smith seconds; Sanghee Shin, Jorge Sanz supporting
     12
     13darkblue_b proposed participating in the EFF/Mozilla Foundation Let's Encrypt initiative, and generally be modern in setting up server infrastructure for a FOSS dot-org. This prompted an investigation into the acquisition and use of Public Key Infrastructure (PKI) x.509 certificates, a heirarchical trust authority structure, and this wiki page.
     14
     15wildintellect (current SAC chair) in favor of getting SSL certs for all our websites, if some of those are the Free ones from that initiative that is fine
     16
     17evenR suggests
     18  https://fedoraproject.org/wiki/ReleaseEngineering/Projects/SigningServer
     19
     20the QGis team is interested in Signing Binaries for Mac and Windows
     21
     22Larry Shaffer is involved in signing binaries, and is working with jgarnett
     23
     24nhv is observing the process
     25
     26* Signing Binaries based on the Debian Model
     27
     28A .dsc file shows some important parts.. checksum on certain things, a name of a person, and lastly the GnuPG PGP Signature
     29
     30so - one might summarize .. there is a binary file, and a text file that goes with it.. the text file is in a known structure..
     31(.dsc)  in that text file are checksums, the name of a person, and a GNU PGP signature..
     32
     33* Signing Binaries on the LocationTech model
     34
     35LocationTech says in their handbook
     36http://www.eclipse.org/projects/handbook/locationtech.html
     37
     38Signed Artifacts
     39
     40Where technically sensible, all downloadable artifacts should be signed
     41<https://wiki.eclipse.org/JAR_Signing>  by an Eclipse Foundation-provided
     42certificate.
     43
     44
     45* HTTPS using Lets Encrypt
     46
     47darkblue_b sez'  Board Members, List Members, all -
     48
     49  Today I asked Yuvi Panda, lead dev at Wikimedia Labs, a
     50participatory collection of open infrastructure and FOSS supporters,
     51what they are using for their certificate ecosystem. Here is the reply:
     52
     53YuviPanda :
     54  we just use globalsign, which isn't ideal but oh well.
     55  we're waiting for lets-encrypt, and that's hopefully possible next month
     56  lets-encrypt is from mozilla and eff and probably saner  ( ed.   
     57..than the FSF idea )
     58
     59regarding the Free Software Foundation as an upstream Certificate Authority:
     60
     61  FSF isn't a CA and I don't think they have any intention of being one
     62
     63
     64
     65* Generating Internal Certificates with openssl