[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #5463 [BridgeDB]: BridgeDB must GPG-sign outgoing mails



#5463: BridgeDB must GPG-sign outgoing mails
----------------------+-----------------------------------------------------
 Reporter:  rransom   |          Owner:                   
     Type:  defect    |         Status:  needs_information
 Priority:  critical  |      Milestone:                   
Component:  BridgeDB  |        Version:                   
 Keywords:            |         Parent:                   
   Points:            |   Actualpoints:                   
----------------------+-----------------------------------------------------

Comment(by rransom):

 Replying to [comment:3 aagbsn]:
 > I wrote some (untested) code as starting point, using gpgpme (python-
 gpgme)
 >
 >
 https://gitweb.torproject.org/user/aagbsn/bridgedb.git/commit/c166119dec14584ad14dcf50b2a98ff9f719892a
 >
 > Now for some questions:
 >
 > Is it OK to use unprotected protected keyfile?

 Using a GPG key with no passphrase is fine.  (I assume the HTTPS
 certificate has no passphrase either.)

 > Is gpg clearsign fine here?

 Yes.

 > What sort of friendly and encouraging text do we want to include to
 inspire users to actually verify messages?

 This is the hard part -- I don't have that text written.

 > And, if the instructions we link to are on www.tpo, and *.tpo is
 blocked, what now?

 The Tor Short User Manual is sent out by GetTor with every Tor package.
 Perhaps GetTor should also be able to send a copy of TSUM only, or perhaps
 BridgeDB should attach a copy of TSUM to its messages (or have an extra
 command to ask for one).

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5463#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs