General Topics in Public Key Infrastructure (PKI) for OSGeo.org

General Discussion

OSGeo Board has passed a motion to allocate $500 to certificate acquisition

http://lists.osgeo.org/pipermail/board/2015-October/013321.html

Anita Graser has expressed interest in the initiative

jgarnett  proposed a motion at the Board level (also represents Boundless community outreach); Michael Smith seconds; Sanghee Shin, Jorge Sanz supporting

darkblue_b proposed participating in the EFF/Mozilla Foundation Let's Encrypt initiative, and generally be modern in setting up server infrastructure for a FOSS dot-org. This prompted an investigation into the acquisition and use of Public Key Infrastructure (PKI) x.509 certificates, a heirarchical trust authority structure, and this wiki page.

wildintellect (current SAC chair) in favor of getting SSL certs for all our websites, if some of those are the Free ones from that initiative that is fine

evenR suggests
  https://fedoraproject.org/wiki/ReleaseEngineering/Projects/SigningServer

the QGis team is interested in Signing Binaries for Mac and Windows

Larry Shaffer is involved in signing binaries, and is working with jgarnett

nhv is observing the process

* Signing Binaries based on the Debian Model

A .dsc file shows some important parts.. checksum on certain things, a name of a person, and lastly the GnuPG PGP Signature

so - one might summarize .. there is a binary file, and a text file that goes with it.. the text file is in a known structure.. 
(.dsc)  in that text file are checksums, the name of a person, and a GNU PGP signature.. 

* Signing Binaries on the LocationTech model

LocationTech says in their handbook
http://www.eclipse.org/projects/handbook/locationtech.html

Signed Artifacts

Where technically sensible, all downloadable artifacts should be signed
<https://wiki.eclipse.org/JAR_Signing>  by an Eclipse Foundation-provided
certificate.


* HTTPS using Lets Encrypt

darkblue_b sez'  Board Members, List Members, all -

  Today I asked Yuvi Panda, lead dev at Wikimedia Labs, a 
participatory collection of open infrastructure and FOSS supporters, 
what they are using for their certificate ecosystem. Here is the reply:

YuviPanda :
  we just use globalsign, which isn't ideal but oh well. 
  we're waiting for lets-encrypt, and that's hopefully possible next month
  lets-encrypt is from mozilla and eff and probably saner  ( ed.   
..than the FSF idea )

regarding the Free Software Foundation as an upstream Certificate Authority:

  FSF isn't a CA and I don't think they have any intention of being one



* Generating Internal Certificates with openssl