Re: Signing extensions

[Roger Binns]

Neil Hodgson wrote:
Code signing certificates that will be be valid for Windows
 Authenticode cost $129 per year through CodeProject

That isn't an amount I am prepared to pay either :-)  (I don't even use
Windows except as a glorified boot loader for Rise of Nations and to build
Python extensions.)  With the amount of hassle it causes me, I should be
paid for the development time spent on Windows issues!

I'd like to see a certificate authority for open source projects
 based mainly on project reputation and longevity. There may need to be
 some payment to avoid flooding the CA with invalid requests - say $30
 per year. It would be great if this CA was recognised by Microsoft and
 Apple as well as Linux and BSD distributions.

It can also be solved as low down as Python itself, as opposed to open
source in general.  The Python installation could install a root CA for the
PSF certifying authority although I suspect you can't then limit its use to
only Python extensions.  (I still find it amusing that the browser will
silently accept certificates from any of the ~100 CAs that come with it.
Your identity proof is only as strong as the weakest CA in the list, not the
strongest.)

It could also be solved by the download sites. For example Google Code does
allow you to visit it via https and even displays the download page over
https, but the downloads are over http.  If it occurred to you then you can
click on the Summary+Labels for an item where they show the SHA1 of the
file, but that is even more hassle for most users.

There are some issues about identity here.

You don't really need to worry about maliciousness.  Ultimately that will
come down to reputation.  I am more concerned about download sites being
hacked or malicious proxies being inserted into the network somewhere.  It
is good enough to be able to establish if this new version of the extension
was produced by the same person as the previous version I have installed.
PGP works wonderfully for that, except for Windows where no one has it.

 The Ext1 project should be able to revoke ...

That is pretty trivial to do if using regular CAs and OCSP.  Of course
someone still has to decide if the claim of maliciousness is correct or a
joe job.

Roger

-- 
http://mail.python.org/mailman/listinfo/python-list

Signing extensions

[Roger Binns]

I would like to digitally sign the open source Python extensions I produce.
 I produce source code (zip file) as well as pre-built binaries for Windows
(all Python versions from 2.3 to 3.1).

I can sign the source using my PGP key no problem.  I could also sign the
Windows binaries that way but Windows users are unlikely to have PGP and the
Google code downloads page would look even worse having another 8 or 9 .asc
files.

The Windows Python distribution is signed by PGP and the normal Microsoft
way using a Verisign class 3 cert.  (If you read their issuer statement it
ultimately says the cert isn't worth the bits it is printed on :-)  One of
those certs is $500 per year which is out of the question for me.

Does anyone have any other suggestions?  Has the PSF considered running a
certificate authority for extension developers, and other Python developers
for that matter?

Roger

-- 
http://mail.python.org/mailman/listinfo/python-list