Made some progress on the wheel signature system that fills my design requirements of being key-centric and emphatically not GPG. It turns out RSA signature verification is just pow(signature, pubkey.e, pubkey.n) and some hashing. You would be able to use "openssl genrsa -out private.pem 2048" to generate the private key, "openssl dgst -sha256 -sign private.pem -binary < partial_jws_blob" to do the actual signature, and use key fingerprints (the same 32-byte length as literal Ed25519 public keys) when asking for "something signed with a particular key or keys". RSA, while producing slower and bigger signatures than the elliptic curve Ed25519, would be more palatable to some by being a more conservative choice and you would be able to use openssl for key management. The idea of "multiple signatures / no key revocation" would be limited to "we don't have tuf yet" installs of things like pip or tuf itself, once tuf was available more complex trust delegation would be available and more subtle attacks could be detected. The idea is to have a security system with a tiny implementation when you do not have, want or need something more complex. On Mon, Mar 25, 2013 at 11:55 PM, Richard Jones <r1chardj0n3s@gmail.com> wrote:

Hi all,

I've updated PEP 439 to note the outcome of the recent discussion regarding setuptools dependencies and a couple of other minor things.

The changes are viewable here: http://hg.python.org/peps/diff/0d57c70eff91/pep-0439.txt

Richard _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org http://mail.python.org/mailman/listinfo/distutils-sig