Signing – OSGeo

Context Navigation

← Previous Version
View Latest Version
Next Version →

Version 1 (modified by darkblueb, 9 years ago) ( diff )
first commit

General Topics in Public Key Infrastructure (PKI) for OSGeo.org

General Discussion

OSGeo Board has passed a motion to allocate $500 to certificate acquisition

http://lists.osgeo.org/pipermail/board/2015-October/013321.html

Anita Graser has expressed interest in the initiative

jgarnett proposed a motion at the Board level (also represents Boundless community outreach); Michael Smith seconds; Sanghee Shin, Jorge Sanz supporting

darkblue_b proposed participating in the EFF/Mozilla Foundation Let's Encrypt initiative, and generally be modern in setting up server infrastructure for a FOSS dot-org. This prompted an investigation into the acquisition and use of Public Key Infrastructure (PKI) x.509 certificates, a heirarchical trust authority structure, and this wiki page.

wildintellect (current SAC chair) in favor of getting SSL certs for all our websites, if some of those are the Free ones from that initiative that is fine

evenR suggests

https://fedoraproject.org/wiki/ReleaseEngineering/Projects/SigningServer

the QGis team is interested in Signing Binaries for Mac and Windows

Larry Shaffer is involved in signing binaries, and is working with jgarnett

nhv is observing the process

Signing Binaries based on the Debian Model

A .dsc file shows some important parts.. checksum on certain things, a name of a person, and lastly the GnuPG PGP Signature

so - one might summarize .. there is a binary file, and a text file that goes with it.. the text file is in a known structure.. (.dsc) in that text file are checksums, the name of a person, and a GNU PGP signature..

Signing Binaries on the LocationTech model

LocationTech says in their handbook http://www.eclipse.org/projects/handbook/locationtech.html

Signed Artifacts

Where technically sensible, all downloadable artifacts should be signed <https://wiki.eclipse.org/JAR_Signing> by an Eclipse Foundation-provided certificate.

HTTPS using Lets Encrypt

darkblue_b sez' Board Members, List Members, all -

Today I asked Yuvi Panda, lead dev at Wikimedia Labs, a

participatory collection of open infrastructure and FOSS supporters, what they are using for their certificate ecosystem. Here is the reply:

YuviPanda :

we just use globalsign, which isn't ideal but oh well. we're waiting for lets-encrypt, and that's hopefully possible next month lets-encrypt is from mozilla and eff and probably saner ( ed.

..than the FSF idea )

regarding the Free Software Foundation as an upstream Certificate Authority:

FSF isn't a CA and I don't think they have any intention of being one

Generating Internal Certificates with openssl

Note: See TracWiki for help on using the wiki.

Download in other formats:

Plain Text