[Python-Dev] PEP 427 comment: code signing
Antoine Pitrou
solipsis at pitrou.net
Mon Oct 22 21:07:46 CEST 2012
On Mon, 22 Oct 2012 12:51:19 -0400
Daniel Holth <dholth at gmail.com> wrote:
> On Thu, Oct 18, 2012 at 3:37 PM, Daniel Holth <dholth at gmail.com> wrote:
> > On Thu, Oct 18, 2012 at 2:21 PM, <martin at v.loewis.de> wrote:
> >> I'm -1 on the usage of ed25519 in PEP 427. While the PEP proposes to use
> >> JSON
> >> Web signatures, this algorithm is not supported by the current JWS draft
> >> [1].
> >>
> >> Instead, I suggest to use the ES256 algorithm from JWS, i.e. ECDSA with the
> >> NIST P-256 curve and SHA-256. This has the advantage of using standard
> >> algorithms [2].
> >>
> >> I don't know what the rationale for suggesting ed25519 is; I suppose that
> >> existence of a pure-Python implementation played a role. However:
> >> - ECDSA also has a pure-Python implementation
> >> - ECDSA is well-supported by OpenSSL, i.e. a signature generator may also
> >> invoke the OpenSSL command line for efficient implementation. I believe
> >> M2Crypto also exposes enough of OpenSSL tp perform ECDSA signing and
> >> verification.
>
> Added a FAQ entry:
>
> Why are you using Ed25519 and JWS instead of PGP, S/MIME, or ECDSA?
> Wheel's signing scheme is designed to protect against cryptography
> that is not used. Wheel tries to encourage signing by making it very
> fast and easy. Signature verification is encouraged by including
> the signature in the archive itself rather than making it a separate
> download, and by including a Python implementation of the entire
> signing system in the reference implementation.
Can you explain how the RECORD.jws file is obtained (and, if possible,
post an example of how it looks like)?
Specifically, which data is signed exactly? The binary contents of the
RECORD file? Something else?
Thanks
Antoine.
More information about the Python-Dev
mailing list