-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 15/06/10 22:33, M.-A. Lemburg wrote: > * How will clients be sure that they are getting the correct key ?
Err... Download from a HTTPS server, with certificate verification in the client, would be nice :). > * What would a client do if the PyPI server is down ? I would keep using the old key if I can't refresh it. If the key is changed once per year, that would be painless most of the time. > * How would clients protect their local cached copy of the > server key against manipulation ? Well, if you can alter the local cached key, you can alter too the client code to skip the verification completely. > * Without access to OpenSSL and M2Crypto, how would clients > apply the check ? Time ago I proposed to use ?Elgamal? signatures. The check can be done in pure Python in maybe 5 lines of code. I use this in my own projects. > Also, please consider that access to crypto code is restricted > in some parts of the world. Users in those countries would have > to be able to turn off verification. Not for verification, I think. If the verification is 100% python, with no crypto library required, less legal risk. Personally I would ban mirrors deployed in no-crypto countries, if I can not "certify" the files they are serving. - -- Jesus Cea Avion _/_/ _/_/_/ _/_/_/ j...@jcea.es - http://www.jcea.es/ _/_/ _/_/ _/_/ _/_/ _/_/ jabber / xmpp:j...@jabber.org _/_/ _/_/ _/_/_/_/_/ . _/_/ _/_/ _/_/ _/_/ _/_/ "Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/ "My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/ "El amor es poner tu felicidad en la felicidad de otro" - Leibniz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQCVAwUBTBf8n5lgi5GaxT1NAQJR6AP6A45T2KF7k6v60w8fa2oH5ZBK/7x3lOgI RQT69ftWwZT+ifPnhJlOMAJ+Xq7F18PL3uOwgsj1Ce12KjimkHPnrOy09+/TblOL Hy0hijddktcAdaaPwBOgE1sOL2ffPsXUk0afKJzPOzYIqFzdqzpb49DYH6vvwsuh I4jJT12x3Ps= =8SNq -----END PGP SIGNATURE----- _______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
