On 3 January 2015 at 02:12, Donald Stufft <donald@stufft.io> wrote:

On Jan 2, 2015, at 10:51 AM, Nick Coghlan <ncoghlan@gmail.com> wrote:

Getting them to manage additional keys, and get them signed and registered appropriately, and then supplying them is going to be a similar amount of work, and the purpose is far more cryptic and confusing. My proposal is basically that instead of asking developers to manage signing keys, we should instead be ask them to manage account on a validation server (or servers).

I need to think more about the rest of what you’ve said (and I don’t think it’s a short term problem), but I just wanted to point out that “managing keys” can be as simple as “create a secondary pass(word|phrase) and remember it/write it down/whatever”. It doesn’t need to be “secure this file and copy it around to all of your computers”. Likewise there’s no reason that “delegate authority to someone else” can’t be something like ``twine add-maintainer pip pfmoore``.

Yeah, I'm confident that the UI can be made relatively straightforward regardless of how we make the actual validation work. The part I haven't got the faintest clue how to do for the PEP 480 version is building viable "folks models" of what those commands are doing on the back end that will give people confidence that they understand what is going on just from using the tools, rather than leaving them wondering why they need a secondary password, etc.

From a technical perspective, I don't think the validation server idea is superior to PEP 480. Where I think it's superior is that I'm far more confident in my ability to explain to a developer with zero security background how separate validation servers provide increased security, as the separation of authority would be structural in addition to mathematical. While the real security would still be coming from the maths, a folk model that believes it is coming from the structural separation between the publication server and the metadata validation servers will be good enough for most practical purposes, and unless someone is particularly interested in the mathematical details, they can largely be handwaved away with "the separation of responsibilities between the services is enforced mathematically".

Cheers,
Nick.

Nick Coghlan | ncoghlan@gmail.com | Brisbane, Australia