explain signing scheme in faq
This commit is contained in:
Daniel Holth
parent
651e54d7e2
commit
a75301cf3d
28
pep-0427.txt
28
pep-0427.txt
|
|
@ -289,9 +289,9 @@ the signature.
|
|||
See
|
||||
|
||||
- http://self-issued.info/docs/draft-ietf-jose-json-web-signature.html
|
||||
- http://self-issued.info/docs/draft-jones-json-web-signature-json-serialization-01.html
|
||||
- http://self-issued.info/docs/draft-ietf-jose-json-web-key-05.html
|
||||
- http://self-issued.info/docs/draft-jones-jose-json-private-key-00.html
|
||||
- http://self-issued.info/docs/draft-jones-jose-jws-json-serialization.html
|
||||
- http://self-issued.info/docs/draft-ietf-jose-json-web-key.html
|
||||
- http://self-issued.info/docs/draft-jones-jose-json-private-key.html
|
||||
|
||||
|
||||
Comparison to .egg
|
||||
|
|
@ -329,6 +329,28 @@ Wheel defines a .data directory. Should I put all my data there?
|
|||
your code. The .data directory is just a place for any files that are
|
||||
not normally installed inside ``site-packages`` or on the PYTHONPATH.
|
||||
|
||||
Why are you using Ed25519 and JWS instead of PGP, S/MIME, or ECDSA?
|
||||
Wheel's signing scheme is designed to protect against cryptography
|
||||
that is not used. Wheel tries to encourage signing by making it very
|
||||
fast and easy. Signature verification is encouraged by including
|
||||
the signature in the archive itself rather than making it a separate
|
||||
download, and by including a Python implementation of the entire
|
||||
signing system in the reference implementation.
|
||||
|
||||
JWS and Ed25519 yield small, pure-Python implementations. Ed25519
|
||||
is fast enough that public-key cryptography can be considered for
|
||||
applications where it was traditionally too slow to be used, so
|
||||
wheels can be signed without worrying about performance. In Ed25519,
|
||||
unlike ECDSA, only key generation, but not signing, depends on
|
||||
a continuing high-quality source of entropy. The combination of
|
||||
increased performance, convenience, and availability compared to
|
||||
using a separate program means digital signatures can always be
|
||||
enabled in wheel.
|
||||
|
||||
Wheel uses simplified keys and a signature system where key generation
|
||||
is about as fast as signing, making it possible to consider signing
|
||||
keys an abundant resource. Keys could represent a build server or
|
||||
a package rather than the publisher's entire digital identity.
|
||||
|
||||
Copyright
|
||||
=========
|
||||
|
|
|
|||
Loading…
Reference in New Issue