= General Topics in Public Key Infrastructure (PKI) for OSGeo.org = == General Discussion == '''Anita Graser''' and the '''QGis Team''' are interested in signing binaries jgarnett proposed a motion at the Board level (also represents Boundless community outreach); Michael Smith supports; Sanghee Shin, Jorge Sanz supporting * http://lists.osgeo.org/pipermail/board/2015-October/013445.html '''darkblue_b''' proposed participating in the EFF/Mozilla Foundation Let's Encrypt initiative, and generally be modern in setting up server infrastructure for a FOSS dot-org. This prompted an investigation into the acquisition and use of Public Key Infrastructure (PKI) x.509 certificates (a heirarchical trust authority structure), Debian-style package signing, and this wiki page. '''wildintellect''' (current SAC chair) in favor of getting SSL certs for all our websites, if some of those are the Free ones from the Lets Encrypt initiative, that is fine '''evenR''' points to: https://fedoraproject.org/wiki/ReleaseEngineering/Projects/SigningServer '''Larry Shaffer''' joins SAC for the purposes of this project '''nhv''' is observing == Signing Binaries based on the Debian Model A .dsc file shows some important parts.. checksum on certain things, a name of a person, and lastly the GnuPG PGP Signature so - one might summarize .. there is a binary file, and a text file that goes with it.. the text file is in a known structure.. (.dsc) in that text file are checksums, the name of a person, and a GNU PGP signature.. == Signing Binaries on the LocationTech model LocationTech says in their handbook http://www.eclipse.org/projects/handbook/locationtech.html Signed Artifacts Where technically sensible, all downloadable artifacts should be signed by an Eclipse Foundation-provided certificate. == HTTPS using Lets Encrypt '''darkblue_b''' sez' Board Members, List Members, all - Today I asked Yuvi Panda, lead dev at Wikimedia Labs, a participatory collection of open infrastructure and FOSS supporters, what they are using for their certificate ecosystem. Here is the reply: YuviPanda : we just use globalsign, which isn't ideal but oh well. we're waiting for lets-encrypt, and that's hopefully possible next month lets-encrypt is from mozilla and eff and probably saner ( ed. ..than the FSF idea ) regarding the Free Software Foundation as an upstream Certificate Authority: FSF isn't a CA and I don't think they have any intention of being one -- {{{ Date: Tue, 03 Nov 2015 10:54:01 -0800 From: Brian M Hamlin Reply-To: Brian M Hamlin Subject: Re: Let's Encrypt To: Seth David Schoen Cc: larrys@dakotacarto.com Hi Seth - I wrote to Peter very shortly after our email exchange, but I have not heard anything back. Basically, I can sum up our inquiry this way -- * OSGeo.org wants to participate in Let's Encrypt * OSGeo.org may want to purchase PKI certificates from a Certificate Authority, to sign binaries for WIndows and Mac which CA to choose ? * in general, PKI certificates in line with your current thinking while we setup some new servers (mainly at OSUOSL) thanks --Brian On Tue, 20 Oct 2015 11:19:23 -0700, Seth David Schoen wrote: Hi Brian, Thanks for your interest in Let's Encrypt! I'm on sabbatical so you should probably try Peter Eckersley if you have further questions. I hope Let's Encrypt can be useful to OSGeo, but in answer to your question, we're planning to do only TLS server certificates and not any other kind of certificate (for example, we're not planning to offer code signing certificates). All of our certificates will be Domain Validation only and will be free of charge. They should be available to the public during the week of November 21, and there's a beta program now that's going to be issuing live certificates to users before then. It should still be possible to join the beta, but I can't guarantee how soon before general availability you would end up getting access (it might even turn out to be around the time of general availability). -- Seth Schoen Senior Staff Technologist https://www.eff.org/ Electronic Frontier Foundation https://www.eff.org/join 815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x107 -- Brian M Hamlin OSGeo California Chapter blog.light42.com }}}