On Fri Jul 26, 2002 at 06:2117PM +0300, Marko Karppinen wrote:
> 1. Someone from the PHP Group will be designated the PHP
> Certificate Authority. This person will, on a mostly
> non-connected system, grant certificates for all
> PEAR/PECL package maintainers. He will also maintain
> a Certificate Revocation List on www.php.net.
> The PHP CA public key will be distributed with
> all copies of PHP.
>
> 2. Package maintainers will prepare their packages like before.
> In addition to the package, they will prepare an S/MIME
> message that contains the SHA1 (RFC3174) hash of the
> package in question. The maintainers will cryptographically
> sign this message and send it to the repository along
> with the package.
>
> 3. The PEAR/PECL installer will fetch both the package and
> the accompanying S/MIME message, verifying that the
> signatory has been certified by the PHP CA. The installer
> will also check that the signatory has not been placed
> on the php.net CRL. Finally, the installer will determine
> whether the SHA1 hash in the message matches with the
> hash of the downloaded package. If not, the installation
> is aborted.
>
Will this process only apply for PECL extensions (as your subejct
implies) or will it apply for PEAR packages also?
Generally, your proposal sounds fine for me.
> - We need a volunteer for the PHP CA.
Stig sounds like the man for this.
> - After this change the OpenSSL extension will be a significant
> enabler of the PEAR/PECL infrastructure. It should be
> on by default (if the host has OpenSSL installed).
What's with Windows? Does it support OpenSSL "by default"?
--
- Martin Martin Jansen
http://martinjansen.com/
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php
