On Mon, Oct 22, 2012 at 6:20 PM, <mar...@v.loewis.de> wrote: > > Zitat von Daniel Holth <dho...@gmail.com>: > > >> Why are you using Ed25519 and JWS instead of PGP, S/MIME, or ECDSA? >> Wheel's signing scheme is designed to protect against cryptography >> that is not used. Wheel tries to encourage signing by making it very >> fast and easy. Signature verification is encouraged by including >> the signature in the archive itself rather than making it a separate >> download, and by including a Python implementation of the entire >> signing system in the reference implementation. >> >> JWS and Ed25519 yield small, pure-Python implementations. Ed25519 >> is fast enough that public-key cryptography can be considered for >> applications where it was traditionally too slow to be used, so >> wheels can be signed without worrying about performance. > > > I believe this analysis of reasons for not using cryptography is incorrect. > Speed never is an issue in deciding whether or not to use cryptographic > algorithms, today (except for cases with very limited CPU capabilities). > Instead, the primary reason for not choosing cryptography is ease-of-use. > > For that reason, I still think that using an established algorithm would > be the better choice. I remain -1 on this choice.
You are right that in this application, it probably doesn't matter. In other applications like public key authentication for individual packets the Ed25519 performance is necessary. A relevant advantage is the deterministic signatures property; the Playstation lost their key because they forgot to use randomness when generating ECDSA signatures. _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
