BEP 35 introduces cryptographically signed torrent files. That means entities can now attest to a torrent's authenticity and safety. If your client trusts that entity, your client can also trust that torrent.
In upcoming releases of uTorrent, we're using this to suppress warning dialogs when, for example, you right-click a featured content bundle and open its containing folder. In future releases of uTorrent, we may use this for more interesting things.
We're pretty excited about some of the possibilities that this opens up and look forward to hearing what the community has to say.
Has there been any discussion about how certs will be managed in the clients? Will clients ship with pre-loaded certs? Will it be left to the torrent file distributors to negotiate with each client, the same way SSL CA cert issuers work with web browsers?
I'm the project lead for terasaur.org and would like to see this evolve. Large-scale trusted torrent distribution is one of the primary goals. Signing all the torrents would be a nice addition.
currently there's a folder under %appdata%/uTorrent where a user can put trusted certificates. Any torrent signed by a cert in this folder is considered trusted. uTorrent ships with BitTorrent Inc.'s cert by default, to always be trusted.
Currently being trusted isn't very interesting. I can imagine that we might want to add some graphical treatment to trusted torrents, and possibly other features as well.
In order to integrate well with the web, we might want to create a file name extension like .btcert that we handle by installing when invoked. That way web sites could distribute their cert easily.
It would be nice to see a locked padlock icon in torrent clients. That's always reassuring.
Will the certs be validated as a chain, or as a single unit? Do you think there's value in generating a separate cert for each group or collection? For example, each Linux distribution on a given site might have it's own cert to publish under.
I agree with the idea of a padlock icon or some other indicator of trusted torrents similar to browser address bars.
If a cert's signed by a trusted cert (a chain of 2 certs), it will be trusted, but chains longer than that aren't supported.
I can't think of any value in generating a cert for different Linux distributions off the top of my head. Certs are intended to correspond to people or other distributing entities.