Bikeshed detected. RSA primitives exist in pure python just fine too FYI.
In TUF (theupdateframework) key revocation is handled entirely inside the framework. No trust comes from outside the system and something like an OCSP server is not needed. Consider that keys can be revoked per-project for example when a developer leaves one project and joins another. (This has nothing to do with the signature algorithm.) On Wed, Feb 20, 2013 at 3:25 PM, Jeremy Stanley <[email protected]> wrote: > On 2013-02-20 21:12:18 +0100 (+0100), M.-A. Lemburg wrote: > [...] > > At that point, the SSL infrastructure becomes just as difficult to > > deal with as GPG/PGP, so there isn't much to win both ways, IMO. > > You just have to deal with it... > > And OpenPGP/GnuPG has the benefit that most prominent free software > developers use it and have done so for many years, have their keys > published in well-known keyservers, established web of trust, et > cetera. S/MIME, while interesting, lacks significant penetration > into the free software developer community and is mostly the domain > of enterprises and commercial interests. > -- > { PGP( 48F9961143495829 ); FINGER( [email protected] ); > WWW( http://fungi.yuggoth.org/ ); IRC( [email protected]#ccl ); > WHOIS( STANL3-ARIN ); MUD( [email protected]:6669 ); } > _______________________________________________ > Catalog-SIG mailing list > [email protected] > http://mail.python.org/mailman/listinfo/catalog-sig >
_______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
