[Python-checkins] peps: explain signing scheme in faq

daniel.holth python-checkins at python.org
Mon Oct 22 18:15:55 CEST 2012 

http://hg.python.org/peps/rev/760e17a922a7
changeset:   4566:760e17a922a7
user:        Daniel Holth <dholth at fastmail.fm>
date:        Mon Oct 22 12:16:24 2012 -0400
summary:
  explain signing scheme in faq

files:
  pep-0427.txt |  28 +++++++++++++++++++++++++---
  1 files changed, 25 insertions(+), 3 deletions(-)


diff --git a/pep-0427.txt b/pep-0427.txt
--- a/pep-0427.txt
+++ b/pep-0427.txt
@@ -289,9 +289,9 @@
 See
 
 - http://self-issued.info/docs/draft-ietf-jose-json-web-signature.html
-- http://self-issued.info/docs/draft-jones-json-web-signature-json-serialization-01.html
-- http://self-issued.info/docs/draft-ietf-jose-json-web-key-05.html
-- http://self-issued.info/docs/draft-jones-jose-json-private-key-00.html
+- http://self-issued.info/docs/draft-jones-jose-jws-json-serialization.html
+- http://self-issued.info/docs/draft-ietf-jose-json-web-key.html
+- http://self-issued.info/docs/draft-jones-jose-json-private-key.html
 
 
 Comparison to .egg
@@ -329,6 +329,28 @@
     your code.  The .data directory is just a place for any files that are
     not normally installed inside ``site-packages`` or on the PYTHONPATH.
 
+Why are you using Ed25519 and JWS instead of PGP, S/MIME, or ECDSA?
+    Wheel's signing scheme is designed to protect against cryptography
+    that is not used.  Wheel tries to encourage signing by making it very
+    fast and easy.  Signature verification is encouraged by including
+    the signature in the archive itself rather than making it a separate
+    download, and by including a Python implementation of the entire
+    signing system in the reference implementation.
+
+    JWS and Ed25519 yield small, pure-Python implementations.  Ed25519
+    is fast enough that public-key cryptography can be considered for
+    applications where it was traditionally too slow to be used, so
+    wheels can be signed without worrying about performance.  In Ed25519,
+    unlike ECDSA, only key generation, but not signing, depends on
+    a continuing high-quality source of entropy.  The combination of
+    increased performance, convenience, and availability compared to
+    using a separate program means digital signatures can always be
+    enabled in wheel.
+
+    Wheel uses simplified keys and a signature system where key generation
+    is about as fast as signing, making it possible to consider signing
+    keys an abundant resource.  Keys could represent a build server or
+    a package rather than the publisher's entire digital identity.
 
 Copyright
 =========

-- 
Repository URL: http://hg.python.org/peps

More information about the Python-checkins mailing list