[Python-checkins] peps: explain signing scheme in faq
daniel.holth
python-checkins at python.org
Mon Oct 22 18:15:55 CEST 2012
http://hg.python.org/peps/rev/760e17a922a7
changeset: 4566:760e17a922a7
user: Daniel Holth <dholth at fastmail.fm>
date: Mon Oct 22 12:16:24 2012 -0400
summary:
explain signing scheme in faq
files:
pep-0427.txt | 28 +++++++++++++++++++++++++---
1 files changed, 25 insertions(+), 3 deletions(-)
diff --git a/pep-0427.txt b/pep-0427.txt
--- a/pep-0427.txt
+++ b/pep-0427.txt
@@ -289,9 +289,9 @@
See
- http://self-issued.info/docs/draft-ietf-jose-json-web-signature.html
-- http://self-issued.info/docs/draft-jones-json-web-signature-json-serialization-01.html
-- http://self-issued.info/docs/draft-ietf-jose-json-web-key-05.html
-- http://self-issued.info/docs/draft-jones-jose-json-private-key-00.html
+- http://self-issued.info/docs/draft-jones-jose-jws-json-serialization.html
+- http://self-issued.info/docs/draft-ietf-jose-json-web-key.html
+- http://self-issued.info/docs/draft-jones-jose-json-private-key.html
Comparison to .egg
@@ -329,6 +329,28 @@
your code. The .data directory is just a place for any files that are
not normally installed inside ``site-packages`` or on the PYTHONPATH.
+Why are you using Ed25519 and JWS instead of PGP, S/MIME, or ECDSA?
+ Wheel's signing scheme is designed to protect against cryptography
+ that is not used. Wheel tries to encourage signing by making it very
+ fast and easy. Signature verification is encouraged by including
+ the signature in the archive itself rather than making it a separate
+ download, and by including a Python implementation of the entire
+ signing system in the reference implementation.
+
+ JWS and Ed25519 yield small, pure-Python implementations. Ed25519
+ is fast enough that public-key cryptography can be considered for
+ applications where it was traditionally too slow to be used, so
+ wheels can be signed without worrying about performance. In Ed25519,
+ unlike ECDSA, only key generation, but not signing, depends on
+ a continuing high-quality source of entropy. The combination of
+ increased performance, convenience, and availability compared to
+ using a separate program means digital signatures can always be
+ enabled in wheel.
+
+ Wheel uses simplified keys and a signature system where key generation
+ is about as fast as signing, making it possible to consider signing
+ keys an abundant resource. Keys could represent a build server or
+ a package rather than the publisher's entire digital identity.
Copyright
=========
--
Repository URL: http://hg.python.org/peps
More information about the Python-checkins
mailing list