From xemacs-m  Tue Aug 12 09:16:42 1997
Received: from firewall2.Lehman.COM (firewall.Lehman.COM [192.147.65.67])
	by xemacs.org (8.8.5/8.8.5) with ESMTP id JAA29487;
	Tue, 12 Aug 1997 09:16:41 -0500 (CDT)
Received: from relay.messaging-svcs2.lehman.com by firewall2.Lehman.COM (8.8.6/8.6.12) id KAA20871; Tue, 12 Aug 1997 10:16:43 -0400 (EDT)
Received: from cfdevx1.lehman.com by relay.messaging-svcs2.lehman.com (8.8.5/8.8.5) id KAA01772; Tue, 12 Aug 1997 10:16:10 -0400 (EDT)
Received: from localhost by cfdevx1.lehman.com (4.1/Lehman Bros. V1.6)
	id AA10807; Tue, 12 Aug 97 10:16:02 EDT
Message-Id: <9708121416.AA10807@cfdevx1.lehman.com>
Reply-To: Rick Campbell <rickc@lehman.com>
X-Face: #<@""pDMxa>Mr$Wp[^l7e1RwB6]&7pRp,f=|)6y5?t45X$y(xx.x^?k~;-d>s:SL86Qt82U
 'M!RC3LrDvD/LjiYdGO!:\/\qx?YabgGC9%xw5%0-W05LRvyu9vB9TYk%5PN|C*0WgrXD-L0'g3j;h
X-Windows: Foiled again.
Organization: Lehman Brothers Inc.
From: Rick Campbell <rickc@lehman.com>
To: SL Baur <steve@xemacs.org>
Cc: xemacs-beta@xemacs.org
Subject: Re: strokes.el --- `package-path' 
In-Reply-To: Your message of "10 Aug 1997 02:37:12 PDT."
             <m2u3gy8jlj.fsf@altair.xemacs.org> 
Mime-Version: 1.0 (generated by tm-edit 7.106)
Content-Type: multipart/signed; protocol="application/pgp-signature";
 boundary="pgp-sign-Multipart_Tue_Aug_12_10:15:54_1997-1"; micalg=pgp-md5
Content-Transfer-Encoding: 7bit
Date: Tue, 12 Aug 1997 10:16:00 -0400
Sender: rickc@lehman.com

--pgp-sign-Multipart_Tue_Aug_12_10:15:54_1997-1
Content-Type: text/plain; charset=US-ASCII

    From: SL Baur <steve@xemacs.org>
    Date: 10 Aug 1997 02:37:12 -0700

    I would like all package distributions to be digitally signed,
    preferably with PGP.  I'm open to suggestions on how to build up an
    XEmacs web of trust.

Personally, I think that the web-of-trust model is pretty flawed,
well, at least with a depth greater than one :-)

However, you could still use PGP and make a special XEmacs
Certification Authority key that you use to sign developer's keys.

Alternatively, you could put Apache-SSL on https://www.xemacs.org/ set
up an XEmacs CA and issue keys which allow developers to drop code
there.  You might need to substitute some sort of reference
implementation from RSA or Netscape for some or all of SSLeay for
legal reasons (?), but non-profit use is probably safe and all of the
crypto stuff is from non-US sources.  For that matter, Sameer might
well grant a free Stronghold license for XEmacs development.

Any way you go, there should be a mechanism for anyone who can't --
for legal, technical, or other reasons -- use the crypto tool of
choice to donate code.  As long as there's some way to distinguish
signed and unsigned stuff, it will be a win.

			Rick

--pgp-sign-Multipart_Tue_Aug_12_10:15:54_1997-1
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit

-----BEGIN PGP MESSAGE-----
Version: 2.6.2
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface

iQCVAwUBM/BwHFtTztlqB385AQGIGAP/clkXsA8K75YTaP3XSkbbLNhj2s57FP2H
ZXuk3CBysoBPBqr0mbCFAWaMdVuwEUGb9v8siobrPNF94or72z0T3tG50gLYJVOc
2vYijDmbzV0hCNyYI1Icib8F76UOhkjwHyp+6YGiYs4n3bBcyqejOTkj49+/ktF0
/ygCxaprXvA=
=FZiC
-----END PGP MESSAGE-----

--pgp-sign-Multipart_Tue_Aug_12_10:15:54_1997-1--

