[fossil-users] Digital signatures on check-ins. Was: tangent vs. wyoung on recent commti
Suppose Fossil were enhanced to show an icon beside each check-in that indicated whether or not the check-in had been signed and whether the signature had been verified. Thus, there are three states: (1) unsigned, (2) signed but unverified, and (3) signed and verified. What would the three icons for these three states look like? And where would they be placed? Beside the username? -- D. Richard Hipp d...@sqlite.org ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Digital signatures on check-ins. Was: tangent vs. wyoung on recent commti
On 21 December 2017 at 13:46, Richard Hipp wrote: > Suppose Fossil were enhanced to show an icon beside each check-in that > indicated whether or not the check-in had been signed and whether the > signature had been verified. Thus, there are three states: (1) > unsigned, (2) signed but unverified, and (3) signed and verified. > What would the three icons for these three states look like? And > where would they be placed? Beside the username? 3) Small green lock, like you see in your browser for https 2) Unlocked & red 1) Locked, but grey I would think hovering over the icon would show some text, such as "This commit is signed & verified". > And where would they be placed? Beside the username? I think that's a good starting point, perhaps left of the username. How are the signatures verified? > -- > D. Richard Hipp > d...@sqlite.org -- --- inum: 883510009027723 sip: jungleboo...@sip2sip.info ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Digital signatures on check-ins. Was: tangent vs. wyoung on recent commti
On Thu, Dec 21, 2017 at 3:58 PM, jungle Boogie wrote: > On 21 December 2017 at 13:46, Richard Hipp wrote: > > Suppose Fossil were enhanced to show an icon beside each check-in that > > indicated whether or not the check-in had been signed and whether the > > signature had been verified. Thus, there are three states: (1) > > unsigned, (2) signed but unverified, and (3) signed and verified. > > What would the three icons for these three states look like? And > > where would they be placed? Beside the username? > > 3) Small green lock, like you see in your browser for https > 2) Unlocked & red > 1) Locked, but grey > > Nice > I would think hovering over the icon would show some text, such as > "This commit is signed & verified". > > > And where would they be placed? Beside the username? > > I think that's a good starting point, perhaps left of the username. > > How are the signatures verified? > There are several Key Servers available, so it should probably be configurable. And if it is configurable, would there be a Key Server per repository or a Key Server per user? Or both? ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Digital signatures on check-ins. Was: tangent vs. wyoung on recent commti
On 12/21/17, jungle Boogie wrote: > > How are the signatures verified? Signatures are not verified, at the moment. Probably each repository would have a set of trusted public keys. Then as each check-in is received via push (or during a rebuild) those with signatures have the signatures verified using the set of trusted keys. Those for which the keys are unknown get marked as signed but unverified. The signatures are currently generated by running gpg in a separate process. I suppose the verification step could do something similar. Hey - I suppose there is a fourth state: (4) Forgery: The signature does not match. -- D. Richard Hipp d...@sqlite.org ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Digital signatures on check-ins. Was: tangent vs. wyoung on recent commti
Forged should be a skull and crossbones. I would think yellow and red unlocked locks and green locked locks, but definitely with hover text for those of us with faulty color perception. On Dec 21, 2017 3:16 PM, "Richard Hipp" wrote: > On 12/21/17, jungle Boogie wrote: > > > > How are the signatures verified? > > Signatures are not verified, at the moment. > > Probably each repository would have a set of trusted public keys. > Then as each check-in is received via push (or during a rebuild) those > with signatures have the signatures verified using the set of trusted > keys. Those for which the keys are unknown get marked as signed but > unverified. > > The signatures are currently generated by running gpg in a separate > process. I suppose the verification step could do something similar. > > Hey - I suppose there is a fourth state: (4) Forgery: The signature > does not match. > -- > D. Richard Hipp > d...@sqlite.org > ___ > fossil-users mailing list > fossil-users@lists.fossil-scm.org > http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users > ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Digital signatures on check-ins. Was: tangent vs. wyoung on recent commti
For what it's worth, I submitted a patch a while back to add S/MIME support to Fossil's signature scheme. I still apply this patch to Fossil when I use it. S/MIME uses PKI and is primarily used for non-repdudiation or encryption in email (every major email client supports it out of the box). PKI is also used for HTTPS. On Thu, 21 Dec 2017, Richard Hipp wrote: On 12/21/17, jungle Boogie wrote: How are the signatures verified? Signatures are not verified, at the moment. Probably each repository would have a set of trusted public keys. Then as each check-in is received via push (or during a rebuild) those with signatures have the signatures verified using the set of trusted keys. Those for which the keys are unknown get marked as signed but unverified. The signatures are currently generated by running gpg in a separate process. I suppose the verification step could do something similar. Hey - I suppose there is a fourth state: (4) Forgery: The signature does not match. -- D. Richard Hipp d...@sqlite.org ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Digital signatures on check-ins. Was: tangent vs. wyoung on recent commti
On 21 December 2017 at 14:16, Richard Hipp wrote: > On 12/21/17, jungle Boogie wrote: >> >> How are the signatures verified? > > Signatures are not verified, at the moment. > > Probably each repository would have a set of trusted public keys. > Then as each check-in is received via push (or during a rebuild) those > with signatures have the signatures verified using the set of trusted > keys. Those for which the keys are unknown get marked as signed but > unverified. > Gotcha. I was assuming this was already implemented and I missed a feature like this. I like the idea of the repo keeping track of the keys, rather than a key server _in this instance_. Fossil, while distributed, can work where's there's no internet. If that's the case, keys wouldn't be verified. > The signatures are currently generated by running gpg in a separate > process. I suppose the verification step could do something similar. > > Hey - I suppose there is a fourth state: (4) Forgery: The signature > does not match. I like SDR's response! > -- > D. Richard Hipp > d...@sqlite.org -- --- inum: 883510009027723 sip: jungleboo...@sip2sip.info ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Digital signatures on check-ins. Was: tangent vs. wyoung on recent commti
On Dec 21, 2017, at 2:58 PM, jungle Boogie wrote: > > 3) Small green lock, like you see in your browser for https > 2) Unlocked & red > 1) Locked, but grey That’s going to make the red-green color blind unhappy: https://en.wikipedia.org/wiki/Color_blindness#Red%E2%80%93green_color_blindness There are browser plugins to simulate the various forms of color blindness. It’s fascinating to play with them for a while. I’d recommend designing three distinct black-filled SVG icons, then style as follows: 1. Drop the opacity of all signedness-state icons to blend it with the background, giving a darker form of the skin’s BG color: svg.signState { opacity: 0.4; } 2. Change the inner fill color of the icons based on applied classes: svg.signed.inner { fill: deepskyblue; } svg.forged.inner { fill: firebrick; } The unsigned state has no tint in this example, but it should still have a distinct CSS class so that skin authors can recolor it to suit their taste and accessibility requirements. >> And where would they be placed? Beside the username? Works for me. > I think that's a good starting point, perhaps left of the username. I think right, simply because it’s currently ordered most-clicked to least-clicked, more or less. > How are the signatures verified? There are lots and lots of ways because there is no single best answer. Some ideas: 1. Add a column to the Fossil users table. Add a text input field on Admin > Users accepting a GPG public key. Also add an Admin preference for whether this column syncs between clones by default, which effectively controls whether trust is transitive. Downside: the Fossil Admin gets to maintain yet another authentication system. 2. Pull from a PGP key server by email parsed from the current Contact Info column. Downside: all the problems of PGP email. 3. Delegate identity to another provider via any of https://en.wikipedia.org/wiki/Federated_identity https://en.wikipedia.org/wiki/Identity_management_system You might need a pluggable architecture so that Fossil can ship with the first two, but BigCorp can swap in an LDAP or RADIUS back end. It *might* be sufficient to allow this to be done via Tcl, as that should give you access to quite a few protocol clients, and the ability to write more at need. ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Digital signatures on check-ins. Was: tangent vs. wyoung on recent commti
On 21 December 2017 at 15:03, Warren Young wrote: > On Dec 21, 2017, at 2:58 PM, jungle Boogie wrote: >> >> 3) Small green lock, like you see in your browser for https >> 2) Unlocked & red >> 1) Locked, but grey > > That’s going to make the red-green color blind unhappy: > > > https://en.wikipedia.org/wiki/Color_blindness#Red%E2%80%93green_color_blindness > You're right, I wasn't taking that into account. >>> And where would they be placed? Beside the username? > > Works for me. > >> I think that's a good starting point, perhaps left of the username. > > I think right, simply because it’s currently ordered most-clicked to > least-clicked, more or less. > In between the username and date/time or right of date/time? -- --- inum: 883510009027723 sip: jungleboo...@sip2sip.info ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Digital signatures on check-ins. Was: tangent vs. wyoung on recent commti
Thus said Richard Hipp on Thu, 21 Dec 2017 16:46:05 -0500: > Suppose Fossil were enhanced to show an icon beside each check-in that > indicated whether or not the check-in had been signed and whether the > signature had been verified. Regarding such an enhancement, would it involve configuring an external tool that is passed the content (perhaps on stdin) and then returns success/fail/whatever semantics Fossil defines? If so, I can see this being quite useful to integrate with any kind of content verification system, and not just PGP. One could write a wrapper around gpg, signify, openssl, or even submit it to a virus scanner if they wanted, and Fossil could report the the ``verification'' of it. Andy -- TAI64 timestamp: 40005a3c8ffe ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Digital signatures on check-ins. Was: tangent vs. wyoung on recent commti
On Dec 21, 2017, at 4:03 PM, Warren Young wrote: > > I’d recommend designing three distinct black-filled SVG icons Another idea: Unicode may have characters you can use as icons. Lock: http://www.fileformat.info/info/unicode/char/1f512/ Open: http://www.fileformat.info/info/unicode/char/1f513/ Roger: http://www.fileformat.info/info/unicode/char/2620/ That then requires that you’ve got local fonts that include these characters, of course. SVG could at least be embedded into the HTML, or into CSS via a content:url(“data:…”) reference: https://css-tricks.com/css-content/ ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Digital signatures on check-ins. Was: tangent vs. wyoung on recent commti
On Dec 21, 2017, at 4:57 PM, jungle Boogie wrote: > > On 21 December 2017 at 15:03, Warren Young wrote: >> On Dec 21, 2017, at 2:58 PM, jungle Boogie wrote: >>> perhaps left of the username. >> >> I think right, simply because it’s currently ordered most-clicked to >> least-clicked, more or less. >> > > In between the username and date/time or right of date/time? I was thinking far right, after the tag in the Modern view. I sometimes click on the checkin ID, I almost never click on the user name, and when I click on a tag, it’s generally from some other view than the Timeline. I’m predicting that these icons will be even less-often clicked. You’ll want to see them far more often than you’ll want to poke into the details behind them. A detail view could occasionally be useful for roughly the same sorts of reasons that you occasionally want to look at some site’s TLS cert in a browser. New thought: Don’t bother making it configurable to hide these icons. That can be done at the skin level: svg.signState { display: none; } That doesn’t just make the icon invisible, it takes no space, so you don’t leave an icon-sized gap in the page layout. ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
Re: [fossil-users] Digital signatures on check-ins. Was: tangent vs. wyoung on recent commti
On Fri 22 Dec 2017 6:13 AM, Warren Young wrote: > On Dec 21, 2017, at 4:57 PM, jungle Boogie wrote: > > > > On 21 December 2017 at 15:03, Warren Young wrote: > >> On Dec 21, 2017, at 2:58 PM, jungle Boogie wrote: > >>> perhaps left of the username. > >> > >> I think right, simply because it’s currently ordered most-clicked to > >> least-clicked, more or less. > >> > > > > In between the username and date/time or right of date/time? > > I was thinking far right, after the tag in the Modern view. I sometimes > click on the checkin ID, I almost never click on the user name, and when I > click on a tag, it’s generally from some other view than the Timeline. Oh, I was thinking in the overview section of a commit, left of the username: http://www4.fossil-scm.org/info/8a53d4016ee960ab Shift what's there down a bit to have the icon line up with the other records above and below. With what you said, I do think that placement is nice. ___ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users