summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTails developers <amnesia@boum.org>2015-01-27 11:05:04 +0000
committerTails developers <amnesia@boum.org>2015-01-27 11:05:04 +0000
commit8d5eaee59b5f758e9391eff8cc5997067de7faca (patch)
tree4eb2ac5e291e7405d394ca80225a53f175921e73
parent8eb3a6defceb62a89e8d6b24b96c4340f6f3962a (diff)
Question OpenPGP verification in the extension
It's probably better to stick to HTTPS and checksum verification in the extension, and try to automate OpenPGP verification through the Installer instead.
-rw-r--r--wiki/src/blueprint/download_extension.mdwn18
1 files changed, 13 insertions, 5 deletions
diff --git a/wiki/src/blueprint/download_extension.mdwn b/wiki/src/blueprint/download_extension.mdwn
index 1c9420d..622ad13 100644
--- a/wiki/src/blueprint/download_extension.mdwn
+++ b/wiki/src/blueprint/download_extension.mdwn
@@ -78,11 +78,19 @@ Other desirable features
- Be able to use that extension to verify other ISO images, testing images,
older ISO images, etc. In that case the user would be warned about the
deprectated or experimental status of the ISO image.
- - Be able to use that extension to check the GPG signature. On top of
- verifying the checksum, this would provide TOFU authentication. Then, if the
- user downloads a genuine app and a genuine key on first use, then she will
- be protected from a later compromision of the HTTPS certificate of
- tails.boum.org.
+
+Open questions
+==============
+
+ - Do we want to use that extension to also check the GPG signature?
+ - On top of verifying the checksum, this would provide TOFU
+ authentication. Then, if the user downloads a genuine app and a
+ genuine key on first use, then she will be protected from a later
+ compromission of the HTTPS certificate of tails.boum.org.
+ - On the other hand, it might be easier and make more sense to push
+ the OpenPGP verification to Tails Installer, when run in Debian
+ for example. As we would have easier access to `gpg`, we could
+ reuse the Debian keyring, etc.
Technical insight
=================