Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Debian Development (http://www.linux-archive.org/debian-development/)
-   -   Bug#579177: ITP: xul-ext-monkeysphere -- Iceweasel/Firefox extension for using Monkeysphere on the web (http://www.linux-archive.org/debian-development/361855-bug-579177-itp-xul-ext-monkeysphere-iceweasel-firefox-extension-using-monkeysphere-web.html)

Jameson Graef Rollins 04-25-2010 10:44 PM

Bug#579177: ITP: xul-ext-monkeysphere -- Iceweasel/Firefox extension for using Monkeysphere on the web
 
Package: wnpp
Severity: wishlist
Owner: Jameson Rollins <jrollins@finestructure.net>
Owner: Jameson Rollins <jrollins@finestructure.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

* Package name : xul-ext-monkeysphere
Version : 0.1
Upstream Author : monkeysphere@lists.riseup.net
* URL : http://web.monkeysphere.info/
* License : GPLv3
Programming Lang: javascript
Description : Iceweasel/Firefox extension for using Monkeysphere on the web

Monkeysphere is a system for using the OpenPGP web of trust as a PKI
for rsa keys.
.
This extensions enables Monkeysphere checking of X.509 certificates
from https hosts whose keys are in the web of trust.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBCAAGBQJL1MXNAAoJEO00zqvie6q8gB8P/iGOhMgFRqIGeONEF6xR/ANv
V+Kwq3NMWT5AEApltFV6JKcpKmpTafET8WLOOlS9Ro1bjFAJ4H 8D5Ae1OwlHF4F1
EHHeMeLZ4uheB3HEQZ6h29hDio8/N4wZEDNJmequ23NC+V2SXtDqxY2KJ77kNEsP
IWcbbuJQLQRcpihBz9Z58KuylMj1OMFzkesXo6q/lv6bPnIo+0L/IlakSxXP0uTE
mGc4H/2NBt+qkOUqRxHLySrsxNSaxwr46UekpDeQfSyNH2jzNE3Wtal9 WrFHPiOa
jl86fUqZols0HCDCQTe4EL4NoBLyHyfjFtywjip9LUK6u8rKEP hlFtjX4jwOVOlL
Q3cNTyIVDp5Td0WKqFpmLc8QhnVdkMw7wXBswieywfhfdb+9zJ 4KlK2HBa9FiXIb
zk4U+3uF5gqZsthPfW6RQBsCHeYOiUjp+R/LSiucOoFXZKVcGJpB9ZXYpaCJHEkF
nhBFIvxJ5hlNKOwnt6a95aqcM34fR/tAO2D66dJnK452xiSYzh3rWRTcJywKt4ZL
VMyPCaR51UDyuSA6NgcGMw2vxwoKbIesgPzZXHw+5wWw2DeUV1 sGJcPqs6UlEQaT
b4zi0ALl3ZgBH6rMtmlFhCZHfxANDdo0vNNiA1X7B5UgB+tL+D NuaMP4/yfNG6MR
nmGSen+o53Ljt8ZxHmW7
=d48a
-----END PGP SIGNATURE-----



--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20100425224433.14724.16411.reportbug@localhost">ht tp://lists.debian.org/20100425224433.14724.16411.reportbug@localhost

Frank Lin PIAT 05-02-2010 09:36 PM

Bug#579177: ITP: xul-ext-monkeysphere -- Iceweasel/Firefox extension for using Monkeysphere on the web
 
On Sun, 2010-04-25 at 18:44 -0400, Jameson Graef Rollins wrote:
> * Package name : xul-ext-monkeysphere
> Version : 0.1

The package description could mention that this is an
early/alpha/experimental release, to avoid deception (and encourage
feed-back)


> Description : Iceweasel/Firefox extension for using Monkeysphere on the web
>
> Monkeysphere is a system for using the OpenPGP web of trust
> as a PKI for rsa keys.
^^^ Is it appropriate to name those keys "RSA"

Wouldn't it be better to state that it's a replacement for X509
certificates? (there is probably an even better wording, but I can't
find it).

> This extensions enables Monkeysphere checking of X.509 certificates
> from https hosts whose keys are in the web of trust.

The long description should mention that this package contains an
Iceweasel extensions, maybe:
"This package contains an Iceweasel/Firefox extensions to use
Monkeysphere for checking of X.509 certificates from https hosts
whose keys are in the web of trust."


My 2 cents,

Franklin


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 1272836217.5782.2566.camel@solid.paris.klabs.be">h ttp://lists.debian.org/1272836217.5782.2566.camel@solid.paris.klabs.be

Jameson Rollins 05-03-2010 04:13 PM

Bug#579177: ITP: xul-ext-monkeysphere -- Iceweasel/Firefox extension for using Monkeysphere on the web
 
Hi, Frank. Thanks so much for the feedback. Responses below.

On Sun, 02 May 2010 23:36:57 +0200, Frank Lin PIAT <fpiat@klabs.be> wrote:
> On Sun, 2010-04-25 at 18:44 -0400, Jameson Graef Rollins wrote:
> > * Package name : xul-ext-monkeysphere
> > Version : 0.1
>
> The package description could mention that this is an
> early/alpha/experimental release, to avoid deception (and encourage
> feed-back)

This extension definitely is in the early stages of development, but it
is working for most cases now, and the developers are using it
routinely. I'm also not sure how we would indicate that it's "alpha" or
"experimental" in the Package: or Version: fields of the control file,
which I think is what you're implying. Do you have a suggestion for
that?

> Wouldn't it be better to state that it's a replacement for X509
> certificates? (there is probably an even better wording, but I can't
> find it).

Monkeysphere is not actually a replacement for X.509, at least not in
the sense of using Monkeysphere *or* X.509. The goal of Monkeysphere,
broadly, is to expand the usage of OpenPGP for authentication on the
net. In the context of the web, the Monkeysphere xul extension can be
used to validate sites that have put their host keys on the OpenPGP Web
of Trust (WOT). However, the extension actually currently relies upon
sites providing an X.509 certificate through normal TLS channels. We
provide a fallback validation check using the WOT when the standard
X.509 validation fails. Our goal is not to disrupt standard X.509
validation if the user wishes to continue to rely upon it, but to
instead provide an alternative to standard X.509 validation that uses
OpenPGP and the WOT.

I agree, though, that it is relevant to mention X.509 in the package
description, at least in the sense of providing an alternative, but I
feel like we're currently doing that with this bit:

> > This extensions enables Monkeysphere checking of X.509 certificates
> > from https hosts whose keys are in the web of trust.

Does this not seem clear enough? Or is there something else that we're
missing in the description to make things clearer?

> The long description should mention that this package contains an
> Iceweasel extensions, maybe:
> "This package contains an Iceweasel/Firefox extensions to use
> Monkeysphere for checking of X.509 certificates from https hosts
> whose keys are in the web of trust."

Good point. We'll fix that.

> My 2 cents,

Always appreciated!

jamie.

Frank Lin PIAT 05-03-2010 10:05 PM

Bug#579177: ITP: xul-ext-monkeysphere -- Iceweasel/Firefox extension for using Monkeysphere on the web
 
On Mon, 2010-05-03 at 12:13 -0400, Jameson Rollins wrote:
> Hi, Frank. Thanks so much for the feedback. Responses below.
>
> On Sun, 02 May 2010 23:36:57 +0200, Frank Lin PIAT <fpiat@klabs.be> wrote:
> > On Sun, 2010-04-25 at 18:44 -0400, Jameson Graef Rollins wrote:
> > > * Package name : xul-ext-monkeysphere
> > > Version : 0.1
> >
> > The package description could mention that this is an
> > early/alpha/experimental release, to avoid deception (and encourage
> > feed-back)
>
> This extension definitely is in the early stages of development, but it
> is working for most cases now, and the developers are using it
> routinely. I'm also not sure how we would indicate that it's "alpha" or
> "experimental" in the Package: or Version: fields of the control file,
> which I think is what you're implying. Do you have a suggestion for
> that?

I have gathered some existing "excuses", but none seems to fit your
need.
http://wiki.debian.org/PackagesDescriptions/Fragments
Based on what you told, upstream might want to number it 0.9 ;)
Still, let me give a try:
"Although the program is still in development stage, It already
have some useful features, and it is quite stable"

Feel free to adjust or rewrite it.

> > Wouldn't it be better to state that it's a replacement for X509
> > certificates? (there is probably an even better wording, but I can't
> > find it).
>
> Monkeysphere is not actually a replacement for X.509, at least not in
> the sense of using Monkeysphere *or* X.509. The goal of Monkeysphere,
> broadly, is to expand the usage of OpenPGP for authentication on the
> net. In the context of the web, the Monkeysphere xul extension can be
> used to validate sites that have put their host keys on the OpenPGP Web
> of Trust (WOT). However, the extension actually currently relies upon
> sites providing an X.509 certificate through normal TLS channels. We
> provide a fallback validation check using the WOT when the standard
> X.509 validation fails. Our goal is not to disrupt standard X.509
> validation if the user wishes to continue to rely upon it, but to
> instead provide an alternative to standard X.509 validation that uses
> OpenPGP and the WOT.

ok we "just" have to figure out how to write that in 4 or 5 lines ;)

"Monkeysphere uses OpenPGP's Web of Trust to validate X509
certificates that aren't signed by a known certificate authorities
(CA)."

We could also something like this:

"In regular public key infrastructure (PKI), X509 certificates
are signed by a third party organisations, that are considered to
be trusted by both the webserver-admin and the web-browser vendor."


> I agree, though, that it is relevant to mention X.509 in the package
> description, at least in the sense of providing an alternative, but I
> feel like we're currently doing that with this bit:
>
> > > This extensions enables Monkeysphere checking of X.509 certificates
> > > from https hosts whose keys are in the web of trust.
>
> Does this not seem clear enough? Or is there something else that we're
> missing in the description to make things clearer?
>
> > The long description should mention that this package contains an
> > Iceweasel extensions, maybe:
> > "This package contains an Iceweasel/Firefox extensions to use
> > Monkeysphere for checking of X.509 certificates from https hosts
> > whose keys are in the web of trust."
>
> Good point. We'll fix that.

Again, just my 2 cents ;)

Franklin


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 1272924329.3999.930.camel@solid.paris.klabs.be">ht tp://lists.debian.org/1272924329.3999.930.camel@solid.paris.klabs.be


All times are GMT. The time now is 03:39 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.