The big problem here, of course, is "key management"; what happens when someone
throws their laptop in a river.
https://github.com/ahf/teneo indicates to me that it may be possible to use a
KDF to get an Ed25519 key from a passphrase that the user remembers,
minilock-style, largely mitigating
On Tue, Mar 14, 2017 at 12:34 AM, Nick Coghlan wrote:
> On 14 March 2017 at 09:41, Nathaniel Smith wrote:
>>
>> On Fri, Mar 10, 2017 at 7:55 AM, Nick Coghlan wrote:
>> > On 11 March 2017 at 00:52, Nathaniel Smith wrote:
>>
The wheel command implements but never fully realized the commands 'wheel
keygen', 'wheel sign' for a bundled signature scheme (where the signature
is inside the signed file) inspired by JAR signing and based on Ed25519
primitives + JSON web signature / JSON web key. The idea was to have wheel
On 14 March 2017 at 15:48, Glyph Lefkowitz wrote:
>
> 2. Except, as stated - i.e. hashes without signatures - this just means we
> all trust Github rather than PyPI :).
>
Yeah, HTTPS would still be a common point of compromise - that kind of
simple scheme would just let