Merge pull request python#9 from mnm678/rsa_to_ed25519

Replace RSA with ed25519
lukpueh · Oct 10, 2019 · 7ef8509 · 7ef8509
2 parents b3d7d90 + 50c7219
commit 7ef8509
Showing 1 changed file with 6 additions and 7 deletions.
diff --git a/pep-0458.txt b/pep-0458.txt
@@ -465,12 +465,11 @@ PyPI and Key Requirements
 In this section, the kinds of keys required to sign for TUF roles on PyPI are
 examined.  TUF is agnostic with respect to choices of digital signature
 algorithms.  For the purpose of discussion, it is assumed that most digital
-signatures will be produced with the well-tested and tried RSA algorithm [20]_.
+signatures will be produced the ed25519 algorithm [25]_ as this algorithm has 
+native and well-tested Python support.
 Nevertheless, we do NOT recommend any particular digital signature algorithm in
 this PEP because there are a few important constraints: first, cryptography
-changes over time; second, package managers such as pip may wish to perform
-signature verification in Python, without resorting to a compiled C library, in
-order to be able to run on as many systems as Python supports; and third, TUF
+changes over time; and second, TUF
 recommends diversity of keys for certain applications.
 
 
@@ -704,7 +703,7 @@ The project transaction and snapshot processes SHOULD work concurrently.
 Finally, project transaction processes SHOULD keep in memory the latest *bins*
 metadata so that they will be correctly updated in new consistent snapshots.
 
-Signing updated snapshot, timestamp, and bin metadata needs to be done on each 
+Signing updated snapshot, timestamp, and bin metadata needs to be done on each
 update.  Fortunately, the actual operation of signing is fast enough that this
 may be done a thousand or more times per second.  However, locking must be
 used so that project transactions are handled sequentially.  To achieve this,
@@ -769,7 +768,7 @@ __ https://en.wikipedia.org/wiki/Transaction_log
 Cleaning up old metadata
 ------------------------
 
-Prior versions of snapshot, targets, and timestamp metadata does not need to 
+Prior versions of snapshot, targets, and timestamp metadata does not need to
 be kept indefinitely.  (Root files must be indefinitely retained.)
 However, a client that performs an update MUST be able
 to retrieve a consistent set of versions of the files on the repository.
@@ -788,7 +787,7 @@ Revoking Trust in Projects and Versions
 From time to time either a project or a version of a package will need to be revoked.
 To revoke trust in a version of a package, the bin role can simply remove the
 delegation and re-sign the bin metadata.  Similarly, an entire project may be removed
-by removing the bin metadata references to the metadata and package versions.  
+by removing the bin metadata references to the metadata and package versions.
 All of these actions only require actions with the online bin key.