Hello, I would like to sign my gem package that I am going to distribute soon. My question is, why people will trust my certificate? How can I make my certificate trusty to people? ofcourse, without spending any money !! Thanks, Mohammad
on 2005-12-21 18:56
on 2005-12-21 21:24
* Mohammad K. (email@example.com) wrote: > Hello, > > I would like to sign my gem package that I am going to distribute soon. > My question is, why people will trust my certificate? > How can I make my certificate trusty to people? ofcourse, without > spending any money !! I had hoped some sort of Rubygems public key infrastructure (PKI) would materialize (I talk about that a little in the gem signing documentation, and suggested a hypothetical geographic system). Since this One True RubyGems PKI (tm) hasn't materialized, you could include a PGP fingerprint (or public key) in the gem itself, sign the root issuing certificate (if there's only one certificate involved, then it's self-signed, and it is the root certificate) with the PGP key, post the signature online, and distribute your PGP public key via PGP keyservers. Obviously that doesn't really mitigate the trust issue; a PGP-signed signature of an X509 certificate really only verifies that the PGP signer is vouching for the X509 certificate in question. It doesn't provide any indication that the PGP signer or the certificate owner is who they say they are, is you think they are, or (most importantly) whether you can trust either. Unlike traditional X509-based PKI (the trust model used in Rubygems), PGP has a distributed trust model (versus the hierarchical X509 model), and a established decentralized key distribution infrastructure (versus X509, which is almost always centralized). The advantage to this method is that you're leveraging the PGP's distributed trust PGP model for X509 certificate distribution, and the RubyGems gem signing for simplicity (eg, once users have the X509 certificate/X509 certificate chain loaded in to rubygems, they don't have to hand-verify each gem released by you any more). Ultimately, trust is client-side issue. Your certificate may be signed, verified, validated, and trusted up the wazoo, and end users still might not trust it, for whatever reason. Hope that helps, and sorry about the long-winded response!