search

hexpm / specifications

Specifications for using and implementing Hex protocols
48 stars 26 forks source link

Registry signing #2

Closed ericmj closed 8 years ago

ericmj commented 8 years ago

/cc @jcspencer @hexpm/contributors @hexpm/rebar3

ferd commented 8 years ago

Is there any plan to provide ways to revoke keys and/or fetch new ones? The problem with this scheme is that if a key is compromised and a new one is released, all existing clients are still subject to attacks by virtue of being stuck with an old key.

Regular SSL certs do so by using revocation lists and GPG by having the ability to publish signed revocation certificates telling you stuff is outdated.

ericmj commented 8 years ago

There is no plan for that currently but I am open to proposals for how revocation should work.

Currently if a key is compromised it will be announced on the website and any other forums we have. Users will have to install a new public key with their client or update their client.

ferd commented 8 years ago

One easy/simple idea I didn't think through fully is to use a file or directory of revocation certs on the site. It be interesting and something that client software could periodically verify; since such a revocation cert can only be generated by someone with the private key for the actual cert, client software could periodically (or on-demand) look it up and see if the key is still valid and prompt for an update otherwise.

ericmj commented 8 years ago

@ferd Your idea sounds interesting and should be a definitive improve over the current verification scheme. Would you mind writing up a rough specification for your proposal as a PR?

jcspencer commented 8 years ago

In terms of this update to the documentation: looks good to merge 👍

I agree with Fred's idea in terms of revocation certificates. Maybe it can be split into a separate issue?

On 6 March 2016 7:57:59 PM AEDT, "Eric Meadows-Jönsson" notifications@github.com wrote:

@ferd Your idea sounds interesting and should be a definitive improve over the current verification scheme. Would you mind writing up a rough specification for your proposal as a PR?

Reply to this email directly or view it on GitHub: https://github.com/hexpm/specifications/pull/2#issuecomment-192839612

James Spencer

ericmj commented 8 years ago

I am going ahead with this and making it part of spec, it can later be extended to support offline keys and revocation. Thanks for your input.