wiki:Signing

Context Navigation

Version 4 (modified by darkblueb, 8 years ago) ( diff )
--

General Topics in Public Key Infrastructure (PKI) for OSGeo.org

General Discussion

Anita Graser and the QGis Team are interested in signing binaries

jgarnett proposed a motion at the Board level (also represents Boundless community outreach); Michael Smith supports; Sanghee Shin, Jorge Sanz supporting

http://lists.osgeo.org/pipermail/board/2015-October/013445.html

darkblue_b proposed participating in the EFF/Mozilla Foundation Let's Encrypt initiative, and generally be modern in setting up server infrastructure for a FOSS dot-org. This prompted an investigation into the acquisition and use of Public Key Infrastructure (PKI) x.509 certificates (a hierarchical trust authority structure), Debian-style package signing, and this wiki page.

wildintellect (current SAC chair) in favor of getting SSL certs for all our websites, if some of those are the Free ones from the Lets Encrypt initiative, that is fine

evenR points to:

https://fedoraproject.org/wiki/ReleaseEngineering/Projects/SigningServer

Larry Shaffer joins SAC for the purposes of this project

nhv is observing

darkblue_b comments: I believe there are at least several, related topics here.. OSGeo.org Signing binaries in an official capacity; TLS certificates for web sites to enable modern, safe browsing; internal methods to authenticate users and machines within the OSGeo server architecture; SAC Roadmap and implementation of chosen activities; Board indication of priorities, funding, and formal external alliances, both explicit and implicit.

After consultations and some research, I believe OSGeo can use the Debian project method of signing with a GNU PGP key, and put the LocationTech method with a certificate authority as something to be looked into. Generally, I support jgarnett in using money and authoritative signatures for OSGeo projects, but it looks like it is not a requirement to proceed.

The following sections attempts to address various sections. This document is under construction.

Signing Binaries based on the Debian Model

A .dsc file shows some important parts.. checksum on certain things, a name of a person, and lastly the GnuPG PGP Signature

so - one might summarize .. there is a binary file, and a text file that goes with it.. the text file is in a known structure.. (.dsc) in that text file are checksums, the name of a person, and a GNU PGP signature..

Signing Binaries on the LocationTech model

LocationTech says in their handbook http://www.eclipse.org/projects/handbook/locationtech.html

Signed Artifacts

Where technically sensible, all downloadable artifacts should be signed <https://wiki.eclipse.org/JAR_Signing> by an Eclipse Foundation-provided certificate.

HTTPS using Lets Encrypt

darkblue_b sez'

Board Members, List Members, all -

Today I asked Yuvi Panda, lead dev at Wikimedia Labs, a

participatory collection of open infrastructure and FOSS supporters, what they are using for their certificate ecosystem. Here is the reply:

YuviPanda :

we just use globalsign, which isn't ideal but oh well. we're waiting for lets-encrypt, and that's hopefully possible next month lets-encrypt is from mozilla and eff and probably saner ( ed.

..than the FSF idea )

regarding the Free Software Foundation as an upstream Certificate Authority:

FSF isn't a CA and I don't think they have any intention of being one

Date: Tue, 03 Nov 2015 10:54:01 -0800
From: Brian M Hamlin <maplabs@light42.com>
Reply-To: Brian M Hamlin <maplabs@light42.com>
Subject: Re: Let's Encrypt
To: Seth David Schoen <schoen@eff.org>
Cc: larrys@dakotacarto.com

Hi Seth -

 

  I wrote to Peter very shortly after our email exchange, but I have not heard anything back.

Basically, I can sum up our inquiry this way --

 

  * OSGeo.org wants to participate in  Let's Encrypt

  * OSGeo.org may want to purchase PKI certificates from a Certificate Authority, to sign binaries for WIndows and Mac

      which CA to choose ?

  * in general, PKI certificates in line with your current thinking while we setup some new servers  (mainly at OSUOSL)

 

thanks --Brian



On Tue, 20 Oct 2015 11:19:23 -0700, Seth David Schoen <schoen@eff.org> wrote:

    Hi Brian,

    Thanks for your interest in Let's Encrypt! I'm on sabbatical so you
    should probably try Peter Eckersley <pde@eff.org> if you have further
    questions.

    I hope Let's Encrypt can be useful to OSGeo, but in answer to your
    question, we're planning to do only TLS server certificates and not
    any other kind of certificate (for example, we're not planning to
    offer code signing certificates). All of our certificates will be
    Domain Validation only and will be free of charge. They should be
    available to the public during the week of November 21, and there's
    a beta program now that's going to be issuing live certificates to
    users before then. It should still be possible to join the beta,
    but I can't guarantee how soon before general availability you would
    end up getting access (it might even turn out to be around the time
    of general availability).

    -- 
    Seth Schoen <schoen@eff.org>
    Senior Staff Technologist https://www.eff.org/
    Electronic Frontier Foundation https://www.eff.org/join
    815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x107




--
Brian M Hamlin
OSGeo California Chapter
blog.light42.com

Note: See TracWiki for help on using the wiki.

Download in other formats:

Plain Text