On 13 Feb, 2013, at 15:21, Nick Coghlan <ncogh...@gmail.com> wrote: > > > For now, though, we would probably start off with > release/target/timestamp roles sharing a key, all threshold values set > to 1, and just doing simple project based target delegation to user > keys. Given the existing GPG infrastructure, I'm also inclined to > stick with GPG based keys and work with the TUF folks to define that > format in their spec. We may also need to leave the protection against > replay attacks off by default, do to the problem with incorrect clocks > noted at the end of the TUF spec.
On the other hand, AFAIK the GPG infrastructure of PyPI isn't used a lot and OpenSSL exposes PCKS#1 which means those can be used without adding new dependencies to CPython, and likely without installing new software on all unix-like systems (the openssl command-line tool is available on both osx and all linux boxes I checked). For 3.4 the PCKS#1 support in openssl could be exposed through a new extension module. I don't have preferences either way, Ronald _______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
