On Tue, Oct 23, 2012 at 1:42 AM, wrote:
> I'm also -1 on the notion that the entire key distribution matter is out
> of scope. With that approach, I feel that the package signing is essentially
> pointless.
>
> As a general note on this, this entire issue lacks a threat model:
> what kind of att
On Tue, Oct 23, 2012 at 7:46 AM, wrote:
> That's exactly what I want: it (PEP 427) should use one of the algorithms
> that is built-in (into web signatures). Web signatures give a choice of
> three algorithms; yet Daniel proposes to deviate and use a non-builtin
> algorithm.
>
> None of the algor
Zitat von "Stephen J. Turnbull" :
mar...@v.loewis.de writes:
> Instead, the primary reason for not choosing cryptography is ease-of-use.
>
> For that reason, I still think that using an established algorithm would
> be the better choice.
I don't understand this. An established algorithm
Zitat von Daniel Holth :
Well, let's try again. I know Ed25519 is not on anyone's list, but I
would like to show at minimum that it is interesting.
I have no doubt about that, and I believe that this ("it is interesting")
might be your primary motivation for using it, i.e. "coolness", which
i
Well, let's try again. I know Ed25519 is not on anyone's list, but I
would like to show at minimum that it is interesting.
%timeit wheel.tool.unpack('lxml-3.0.1-cp27-none-linux_x86_64.whl')
10 loops, best of 3: 123 ms per loop
.unpack() verifies the signature and extracts the file. Installation
i
You could just include a different algorithm. He meant that the speed of
ed25519 is not an advantage in this use case. Did I mention that its c
implementation has defense against timing attacks?
On Oct 22, 2012 8:24 PM, "Stephen J. Turnbull" wrote:
> mar...@v.loewis.de writes:
>
> > Instead, the
mar...@v.loewis.de writes:
> Instead, the primary reason for not choosing cryptography is ease-of-use.
>
> For that reason, I still think that using an established algorithm would
> be the better choice.
I don't understand this. An established algorithm might be
cryptographically safer, but
On Mon, Oct 22, 2012 at 6:20 PM, wrote:
>
> Zitat von Daniel Holth :
>
>
>> Why are you using Ed25519 and JWS instead of PGP, S/MIME, or ECDSA?
>> Wheel's signing scheme is designed to protect against cryptography
>> that is not used. Wheel tries to encourage signing by making it very
>>
Zitat von Daniel Holth :
Why are you using Ed25519 and JWS instead of PGP, S/MIME, or ECDSA?
Wheel's signing scheme is designed to protect against cryptography
that is not used. Wheel tries to encourage signing by making it very
fast and easy. Signature verification is encouraged
On Mon, Oct 22, 2012 at 4:12 PM, Antoine Pitrou wrote:
> On Mon, 22 Oct 2012 15:49:34 -0400
> Daniel Holth wrote:
>> On Mon, Oct 22, 2012 at 3:37 PM, Antoine Pitrou wrote:
>> > On Mon, 22 Oct 2012 15:20:01 -0400
>> > Daniel Holth wrote:
>> >>
>> >> The decoded contents are like the JSON documen
On Mon, 22 Oct 2012 15:49:34 -0400
Daniel Holth wrote:
> On Mon, Oct 22, 2012 at 3:37 PM, Antoine Pitrou wrote:
> > On Mon, 22 Oct 2012 15:20:01 -0400
> > Daniel Holth wrote:
> >>
> >> The decoded contents are like the JSON documents at
> >> http://www.python.org/dev/peps/pep-0427/#json-web-sign
On Mon, Oct 22, 2012 at 3:37 PM, Antoine Pitrou wrote:
> On Mon, 22 Oct 2012 15:20:01 -0400
> Daniel Holth wrote:
>>
>> The decoded contents are like the JSON documents at
>> http://www.python.org/dev/peps/pep-0427/#json-web-signatures-extensions
>>
>> Signing is implemented at:
>> https://bitbuc
On Mon, 22 Oct 2012 15:20:01 -0400
Daniel Holth wrote:
>
> The decoded contents are like the JSON documents at
> http://www.python.org/dev/peps/pep-0427/#json-web-signatures-extensions
>
> Signing is implemented at:
> https://bitbucket.org/dholth/wheel/src/tip/wheel/signatures/__init__.py?at=def
On Mon, Oct 22, 2012 at 3:07 PM, Antoine Pitrou wrote:
> On Mon, 22 Oct 2012 12:51:19 -0400
> Daniel Holth wrote:
>> On Thu, Oct 18, 2012 at 3:37 PM, Daniel Holth wrote:
>> > On Thu, Oct 18, 2012 at 2:21 PM, wrote:
>> >> I'm -1 on the usage of ed25519 in PEP 427. While the PEP proposes to use
On Mon, 22 Oct 2012 12:51:19 -0400
Daniel Holth wrote:
> On Thu, Oct 18, 2012 at 3:37 PM, Daniel Holth wrote:
> > On Thu, Oct 18, 2012 at 2:21 PM, wrote:
> >> I'm -1 on the usage of ed25519 in PEP 427. While the PEP proposes to use
> >> JSON
> >> Web signatures, this algorithm is not supported
On Thu, Oct 18, 2012 at 3:37 PM, Daniel Holth wrote:
> On Thu, Oct 18, 2012 at 2:21 PM, wrote:
>> I'm -1 on the usage of ed25519 in PEP 427. While the PEP proposes to use
>> JSON
>> Web signatures, this algorithm is not supported by the current JWS draft
>> [1].
>>
>> Instead, I suggest to use t
On Thu, Oct 18, 2012 at 2:21 PM, wrote:
> I'm -1 on the usage of ed25519 in PEP 427. While the PEP proposes to use
> JSON
> Web signatures, this algorithm is not supported by the current JWS draft
> [1].
>
> Instead, I suggest to use the ES256 algorithm from JWS, i.e. ECDSA with the
> NIST P-256
I'm -1 on the usage of ed25519 in PEP 427. While the PEP proposes to use JSON
Web signatures, this algorithm is not supported by the current JWS draft [1].
Instead, I suggest to use the ES256 algorithm from JWS, i.e. ECDSA with the
NIST P-256 curve and SHA-256. This has the advantage of using sta
18 matches
Mail list logo