On Tue, Oct 25, 2016 at 7:22 PM, Martyn Plummer <plummerm at iarc.fr> wrote:
Thanks Jeroen. The R Foundation has recently formed a working group to look into package authentication. There are basically two models. One is the GPG based model you describe; the other is to use X.509 as implemented in the PKI package. It's not yet clear which way to go but we are thinking about it.
I look forward to hearing what the working group comes up with. I suppose if you go with x509, CRAN is going to perform CA duties? Let me know if I can help with implementation, either via gpg or x509. I am actively developing the openssl package which includes many more x509 utilities, supporting all common key types (dsa, rsa, ec), certificate bundles, ssl, etc. The main difference with PKI is that openssl uses the native pem/der parsers from libssl which are more robust and also recognize the less common formats, so that we don't have to deal with parsing/decoding ASN.1 in R. I will be happy to adapt/extend it further to fit the needs of the workgroup and help this move forward.