[Monotone-devel] [stone in the pond] OpenPGP signatures?

[Lapo Luchini]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

No no, I'm not talking about importing raw RSA data or the such.
I was just thinking: would it be useful (at least to someone) to support
OpenPGP signature to "something" just like a project do (sometimes =P)
feel useful to sign tarballs? And, if the anwser is positive, "what"?

My personal brainstorming:
(some things partially true, some debatable, some plain false... that's
the very idea of "brainstorming" afterall...)

It could be useful because...
a. it delegates the problem of trust to an existing web of trust
b. many people know it already and feel confident in its signatures
c. people could check the signature "manually"

It could be used to sign...
a. manifests, because they directly contain the hashes of every file
contained in the project (and if you trust SHA1 you trust SHA1, and if
you don't... then you can't use PGP web of trust anyway!)
b. revisions, because they contain the hash of the manifest, are
smaller, and the signature could even be stored in a cert

In fact I think a "openpgp" cert containing the raw detached signature
would probably be the best, and it could be done entirely with a small
script or wrapper.
The easiest way could be to directly but the "armor" in the cert, but
that would be unnecessarily large and bulky... can a cert contain binary
value?
As a SQLite3 field I know it does, but as a command line parameter of
"mtn cert" I guess it does not.

Just to be fair:

It would NOT be useful or be straight disruptive because:
a. it instills the doubt that mtn own signatures are "less worthy"
b. it adds much data but pretty much nothing, security-wise, in the DB
c. the very idea of needing an external and existing trust is debatable

- --
Lapo Luchini
address@hidden (OpenPGP & X.509)
www.lapo.it (Jabber, ICQ, MSN)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (Cygwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIcBAEBAgAGBQJFK+N5AAoJELBiMTth2oCDFzQQAJhOIoN5uJcw8Hv86dX3p2pF
RL0KTloEE/QuuIwL2LfnM4nt/iELVlAJtpu6bXuuRB59fSjaBvXjCAFttk0XRmYC
4VieoiYn+/LSAvj87ADHm6vPnHqbPV6eC94O/1s/6Basya4xDbCrp1p87/2szRH9
3C0jfJvvDBtksI2iLEi1sg8+cphjKUFsRm7Ztfn5V19rs219isa95ZcfM2B22ihb
HlBqtbGAbYCLBIxxSyotovNymJhYgn3JjYEPGx09ybzVD7ViJJYKfR6U1/T/gfzO
eRBDNm9uIWPkAqsBLmZ+bLhecPI/Fb+A1DnquiwqHMS3q8+cK4f6CWLC1FMeAXjA
XjwHMzFaddvpNhUc3GmecUxeL0YjXr2alzk3mT6vDUmCmJF3iS5T+KK9RB2pIu7P
NnMqfzWvOzCAoh3kqc1eDvWfSWR0q/hVzbXethKuppD3z4ZUaP2NfL7E+kjSUdid
CsnFcW3Qo9JAILzNv1qIqYyErVQwkACcobHnq9Yxy7k/2LhUuA0P+TGsvkvBoVU+
eCzk8R1AmH/aR0cFBrmLSj0GehXFJU+MhRKqiX0oOCywFtiMpaSZ4B881izS5Mbw
UzBxkrrVIxuN0+Bzejskp9EZd28mBnD+0tUukcGc8Z5ervz4sVzhOs3fLTnuNZi7
LILDzxMonKKAmb4gGfUj
=0V3U
-----END PGP SIGNATURE-----