[Python-Dev] PEP 427 comment: code signing
martin at v.loewis.de
martin at v.loewis.de
Thu Oct 18 20:21:14 CEST 2012
More information about the Python-Dev mailing list
Thu Oct 18 20:21:14 CEST 2012
- Previous message: [Python-Dev] [Distutils] accept the wheel PEPs 425, 426, 427
- Next message: [Python-Dev] PEP 427 comment: code signing
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I'm -1 on the usage of ed25519 in PEP 427. While the PEP proposes to use JSON Web signatures, this algorithm is not supported by the current JWS draft [1]. Instead, I suggest to use the ES256 algorithm from JWS, i.e. ECDSA with the NIST P-256 curve and SHA-256. This has the advantage of using standard algorithms [2]. I don't know what the rationale for suggesting ed25519 is; I suppose that existence of a pure-Python implementation played a role. However: - ECDSA also has a pure-Python implementation - ECDSA is well-supported by OpenSSL, i.e. a signature generator may also invoke the OpenSSL command line for efficient implementation. I believe M2Crypto also exposes enough of OpenSSL tp perform ECDSA signing and verification. I'm -0 on the use of JWS; I would prefer a signature format that is already an established internet standard (such a PGP or S/MIME). However, it does look that this may become a proper internet standard in the near future, so it's an ok choice. If it really must be ed25519, I request that this is registered with IANA once the PEP is accepted, the RFC is accepted, and the JWS algorithm registry is open. Regards, Martin [1] http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-06 [2] http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-06
- Previous message: [Python-Dev] [Distutils] accept the wheel PEPs 425, 426, 427
- Next message: [Python-Dev] PEP 427 comment: code signing
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Python-Dev mailing list