git@vger.kernel.org list mirror (unofficial, one of many)
 help / color / Atom feed
* [RFC] Improved git signing interface
@ 2019-07-22 14:16 Ibrahim El Rhezzali
  2019-07-30  6:59 ` Jeff King
  0 siblings, 1 reply; 3+ messages in thread
From: Ibrahim El Rhezzali @ 2019-07-22 14:16 UTC (permalink / raw)
  To: git

Hi Everyone,

I have been selected by the Linux Foundation to work on a summer
project. I would like to abstract the git signing interface and add
support for signatures using decentralized identifiers (DID).
Decentralized identifiers are an emerging standard [0] that allows
individuals to control their own digital identities, and is often
called self-sovereign identity (SSI). The SSIMeetup is a good place to
learn more about SSI [1] and DIDs [2].

The project’s current goal is to abstract the current GPG interface
into a more ‘generic’ API that supports the existing OpenPGP and X.509
functionality while creating the ability to write additional signature
drivers.

I have implemented a prototype that works and passes all tests, and in
the coming weeks I plan to submit a series of patches for your review.
I first need to clean up the Git history to make it easy to follow. I
will also ensure that people using the current approach to GPG signing
can use the proposed approach with only minor changes. The flag
“--gpg-sign” would evolve to “---sign”, though I would like to
preserve an alias to the old flag if possible. My prototype has
already implemented configuration aliases to ensure that the new
approach is backwards compatible with previous configuration. I am
also working to update the documentation to explain the new approach.

You can inspect my work in my fork of Git here:
https://github.com/ibrahimel/did-git-impl

I created a view model diagram to describe the intended result and the
files that would be impacted and can be viewed here:
https://github.com/ibrahimel/did-git-impl/blob/did-git-impl-signing/Documentation/technical/signing-interface.png

This project is a continuation of David Huseby’s previous work on the
subject, which can be found here:
https://github.com/dhuseby/did-git-spec

Please let me know if you have any comment on the design and the
previous work done so far. I look forward to learning from your
experience.

Thanks,
Ibrahim

[0] https://w3c-ccg.github.io/did-spec/
[1] https://ssimeetup.org/story-open-ssi-standards-drummond-reed-evernym-webinar-1/
[2] https://ssimeetup.org/decentralized-identifiers-did-fundamental-block-self-sovereign-identity-drummond-reed-webinar-2/

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [RFC] Improved git signing interface
  2019-07-22 14:16 [RFC] Improved git signing interface Ibrahim El Rhezzali
@ 2019-07-30  6:59 ` Jeff King
  2019-08-14  8:48   ` Ibrahim El Rhezzali
  0 siblings, 1 reply; 3+ messages in thread
From: Jeff King @ 2019-07-30  6:59 UTC (permalink / raw)
  To: Ibrahim El Rhezzali; +Cc: git

On Mon, Jul 22, 2019 at 04:16:15PM +0200, Ibrahim El Rhezzali wrote:

> I have been selected by the Linux Foundation to work on a summer
> project. I would like to abstract the git signing interface and add
> support for signatures using decentralized identifiers (DID).
> Decentralized identifiers are an emerging standard [0] that allows
> individuals to control their own digital identities, and is often
> called self-sovereign identity (SSI). The SSIMeetup is a good place to
> learn more about SSI [1] and DIDs [2].
> 
> The project’s current goal is to abstract the current GPG interface
> into a more ‘generic’ API that supports the existing OpenPGP and X.509
> functionality while creating the ability to write additional signature
> drivers.

Neat. I'm always wary of supporting "emerging standards", because
sometimes they turn out not to emerge and you are left with historical
cruft. :) But if your changes to Git are mostly around making the
signing config more generic, I think that is something people are
interested in (signify has come up as a possibility before).

You might find this discussion interesting (that patch and the
sub-thread):

 https://public-inbox.org/git/20180409204129.43537-9-mastahyeti@gmail.com/

One of the points I think people didn't like was how Git would detect
signatures embedded in objects (i.e., is matching PEM-like lines enough,
or what would other signing systems want?).

That patch was later dropped in favor of the work from Henning Schild:

  https://public-inbox.org/git/cover.1531208187.git.henning.schild@siemens.com/

which is much more geared at just adding gpgsm support. There were
various discussions about how it could eventually be extended to new
formats. I skimmed over the documentation from your branch and it looks
like a pretty sane layout, with backwards compatibility.

> I have implemented a prototype that works and passes all tests, and in
> the coming weeks I plan to submit a series of patches for your review.
> I first need to clean up the Git history to make it easy to follow. I
> will also ensure that people using the current approach to GPG signing
> can use the proposed approach with only minor changes. The flag
> “--gpg-sign” would evolve to “---sign”, though I would like to
> preserve an alias to the old flag if possible.

Yes, this must not be "minor changes" but "no changes" to be accepted.
It's OK to deprecate things, but old options cannot immediately stop
working. From this email and looking at your config patches, it looks
like that's the route you plan to take. Good.

I look forward to seeing the cleaned-up patches. :)

-Peff

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [RFC] Improved git signing interface
  2019-07-30  6:59 ` Jeff King
@ 2019-08-14  8:48   ` Ibrahim El Rhezzali
  0 siblings, 0 replies; 3+ messages in thread
From: Ibrahim El Rhezzali @ 2019-08-14  8:48 UTC (permalink / raw)
  To: Jeff King; +Cc: git

Thank you very much Jeff for looking into the proposal and for
pointing out the previous threads on the subject.

I understand your concern on 'emerging technologies' and new tools.
But to clarify, the current work and patches do not include any new
tools, and is merely a cleaning of the signing config and interface
that would make it easier in the future to add compatibility for any
signing tool.

The current changes maintain full backward compatibility and all
existing tests pass. I will hopefully be submitting the patches in the
coming days.

Thank you again for checking the proposal.

 -Ibrahim

On Tue, Jul 30, 2019 at 8:59 AM Jeff King <peff@peff.net> wrote:
>
> On Mon, Jul 22, 2019 at 04:16:15PM +0200, Ibrahim El Rhezzali wrote:
>
> > I have been selected by the Linux Foundation to work on a summer
> > project. I would like to abstract the git signing interface and add
> > support for signatures using decentralized identifiers (DID).
> > Decentralized identifiers are an emerging standard [0] that allows
> > individuals to control their own digital identities, and is often
> > called self-sovereign identity (SSI). The SSIMeetup is a good place to
> > learn more about SSI [1] and DIDs [2].
> >
> > The project’s current goal is to abstract the current GPG interface
> > into a more ‘generic’ API that supports the existing OpenPGP and X.509
> > functionality while creating the ability to write additional signature
> > drivers.
>
> Neat. I'm always wary of supporting "emerging standards", because
> sometimes they turn out not to emerge and you are left with historical
> cruft. :) But if your changes to Git are mostly around making the
> signing config more generic, I think that is something people are
> interested in (signify has come up as a possibility before).
>
> You might find this discussion interesting (that patch and the
> sub-thread):
>
>  https://public-inbox.org/git/20180409204129.43537-9-mastahyeti@gmail.com/
>
> One of the points I think people didn't like was how Git would detect
> signatures embedded in objects (i.e., is matching PEM-like lines enough,
> or what would other signing systems want?).
>
> That patch was later dropped in favor of the work from Henning Schild:
>
>   https://public-inbox.org/git/cover.1531208187.git.henning.schild@siemens.com/
>
> which is much more geared at just adding gpgsm support. There were
> various discussions about how it could eventually be extended to new
> formats. I skimmed over the documentation from your branch and it looks
> like a pretty sane layout, with backwards compatibility.
>
> > I have implemented a prototype that works and passes all tests, and in
> > the coming weeks I plan to submit a series of patches for your review.
> > I first need to clean up the Git history to make it easy to follow. I
> > will also ensure that people using the current approach to GPG signing
> > can use the proposed approach with only minor changes. The flag
> > “--gpg-sign” would evolve to “---sign”, though I would like to
> > preserve an alias to the old flag if possible.
>
> Yes, this must not be "minor changes" but "no changes" to be accepted.
> It's OK to deprecate things, but old options cannot immediately stop
> working. From this email and looking at your config patches, it looks
> like that's the route you plan to take. Good.
>
> I look forward to seeing the cleaned-up patches. :)
>
> -Peff



-- 
Ibrahim EL RHEZZALI
Tél. +212 6 72 55 71 71

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, back to index

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-07-22 14:16 [RFC] Improved git signing interface Ibrahim El Rhezzali
2019-07-30  6:59 ` Jeff King
2019-08-14  8:48   ` Ibrahim El Rhezzali

git@vger.kernel.org list mirror (unofficial, one of many)

Archives are clonable:
	git clone --mirror https://public-inbox.org/git
	git clone --mirror http://ou63pmih66umazou.onion/git
	git clone --mirror http://czquwvybam4bgbro.onion/git
	git clone --mirror http://hjrcffqmbrq6wope.onion/git

Newsgroups are available over NNTP:
	nntp://news.public-inbox.org/inbox.comp.version-control.git
	nntp://ou63pmih66umazou.onion/inbox.comp.version-control.git
	nntp://czquwvybam4bgbro.onion/inbox.comp.version-control.git
	nntp://hjrcffqmbrq6wope.onion/inbox.comp.version-control.git
	nntp://news.gmane.org/gmane.comp.version-control.git

 note: .onion URLs require Tor: https://www.torproject.org/

AGPL code for this site: git clone https://public-inbox.org/ public-inbox