coapp-developers team mailing list archive

Thread
Date

Re: Codesigning for the masses.

To: "William A. Rowe Jr." <wmrowe@xxxxxxxxx>, Mark Stone <mark.stone@xxxxxxxxx>
From: Garrett Serack <garretts@xxxxxxxxxxxxx>
Date: Wed, 4 Jan 2012 22:13:45 +0000
Accept-language: en-US
Cc: "coapp-developers@xxxxxxxxxxxxxxxxxxx" <coapp-developers@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <4F04C8F7.4030107@gmail.com>
Thread-index: AczLEk5eGVIHvd14QXavzTcPculkBAASD4KAAAS+coD//31x+Q==
Thread-topic: [Coapp-developers] Codesigning for the masses.

Hmm. Yeah, we'll definitely have to setup an OCSP responder. (Gonna have to think about that one a bit more). In the short run we can make sure we have a CRL in place.

I've got some bigger ideas on how to bring a complete WoT into it, but I suspect we'll be well served by starting with just the CoApp CA and move towards the higher goals as we can.

I think that I've got some small work to do with the bootstrapper so that when CoApp bootstraps you see the Outercurve cert, but when the actual package install, if you elevate, you see *that* publisher... not too hard tho; Luckily I already pick and choose when to elevate.

G

________________________________________
From: coapp-developers-bounces+garretts=microsoft.com@xxxxxxxxxxxxxxxxxxx [coapp-developers-bounces+garretts=microsoft.com@xxxxxxxxxxxxxxxxxxx] on behalf of William A. Rowe Jr. [wmrowe@xxxxxxxxx]
Sent: Wednesday, January 04, 2012 1:47 PM
To: Mark Stone
Cc: coapp-developers@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Coapp-developers] Codesigning for the masses.

On 1/4/2012 1:31 PM, Mark Stone wrote:
>
> I guess my first question would be: "If this is such a great idea, why isn't it already
> being done elsewhere?".

It is... that's precisely what most packagers do, they ship out their
pgp keys and have the user add this to their web of trust in order to
accept packages for the new version / validated by the new pgp key.

On windows, it isn't... I think nobody's had the balls to replace the
root chain.  I half expect a long rant from Gibson explaining how CoApp
seeks to eliminate all the security from the internet :-P

Brilliant Garrett, as the 'umbrella' of a distinct 'environment', it
seems entirely sensible to inject a root key and treat this a WoT.  If
we have the capacity, it would be helpful to inject the OCSP authority
and set up an OCSP responder.

Of course code signing and revocation all mean nothing with system
services at startup time, prior to having a useful network stack.

_______________________________________________
Mailing list: https://launchpad.net/~coapp-developers
Post to     : coapp-developers@xxxxxxxxxxxxxxxxxxx
Unsubscribe : https://launchpad.net/~coapp-developers
More help   : https://help.launchpad.net/ListHelp

References

Codesigning for the masses.
From: Garrett Serack, 2012-01-04
Re: Codesigning for the masses.
From: Mark Stone, 2012-01-04
Re: Codesigning for the masses.
From: William A. Rowe Jr., 2012-01-04