On Thu, Jul 31, 2008 at 11:30:59AM -0700, Bart Smaalders wrote: > Stephen Hahn wrote: > > I am having difficulty formulating a use case where nested or multiply > > signed packages are needed, and in which the consumer makes different > > decisions when distinct subsets of the signing entities cannot be > > independently verified. Maybe someone has an example? > > Multiply signed packages are useful, as others have pointed out, to > permit systems to require multiple signatures, or permit alternate > signatures.
I proposed having one signature by the pkg submitter, and one by the publication service. The former vouching for the contents of the package while the latter would vouch for the dependency and other such analysis. That would allow you to separate the publication service from the repository itself, thus making the repository OS- and platform-neutral (since it's the publication service that inherently isn't). OTOH, it might require folding OS and platform information into the URLs, at least for the catalog. > The easiest way to do this is to omit all signatures from the > hash; adding a new signature would then not invalidate previous ones. It might be useful to be able to include some signatures in the material signed by any one signature -- "nested signatures" --, as well as to omit some -- "parallel signatures." The publication service's signature should include any signatures in the submitted pkg. Nico --
