[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #29671 [Internal Services/Tor Sysadmin Team]: evaluate possible options for OpenPGP keyring maintenance



#29671: evaluate possible options for OpenPGP keyring maintenance
-------------------------------------------------+-------------------------
 Reporter:  anarcat                              |          Owner:  tpa
     Type:  task                                 |         Status:
                                                 |  assigned
 Priority:  Low                                  |      Milestone:
Component:  Internal Services/Tor Sysadmin Team  |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:                                       |  Actual Points:
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------
Description changed by anarcat:

Old description:

> Many tickets here are about maintaining the various keyrings required for
> daily operations at Tor. A few examples include new keys, expiration
> updates and so on: #27748 , #27748, #27726, #27600, #28891, #28150,
> #28138, #29455... but there are literally hundreds of such tickets.
>
> Those keys currently get stored in LDAP and require a TPA to make
> changes, that is in `git@xxxxxxxxxxxxxxxxxxxxx:admin/account-keyring.git`
> (or is it
> `ssh://alberti.torproject.org/srv/db.torproject.org/keyrings/keyring.git`?).
> The TPA password manager also has its own keyring subset, see #29677.
>
> Then there's also stuff like the [https://www.torproject.org/docs
> /signing-keys.html.en torbrowser signing keys] which are ''not'' stored
> in LDAP (#28306), creating ''another'' source of truth for keys.
>
> All of this makes key maintenance and discovery difficult. Investigate
> possible alternatives, including Debian packages (like the one used by
> debian-archive-keyring), a private keyserver,
> [https://github.com/firstlookmedia/gpgsync gpgsync],
> [https://monkeysphere.info/ monkeysphere], or a flock of unicorn. ;)

New description:

 Many tickets here are about maintaining the various keyrings required for
 daily operations at Tor. A few examples include new keys, expiration
 updates and so on: #27748 , #27748, #27726, #27600, #28891, #28150,
 #28138, #29455... but there are literally hundreds of such tickets.

 Those keys currently get stored in LDAP and require a TPA to make changes,
 that is in `git@xxxxxxxxxxxxxxxxxxxxx:admin/account-keyring.git` '''and'''
 `ssh://alberti.torproject.org/srv/db.torproject.org/keyrings/keyring.git`.
 The TPA password manager also has its own keyring subset, see #29677.

 Then there's also stuff like the [https://www.torproject.org/docs/signing-
 keys.html.en torbrowser signing keys] which are ''not'' stored in LDAP
 (#28306), creating ''another'' source of truth for keys.

 All of this makes key maintenance and discovery difficult. Investigate
 possible alternatives, including Debian packages (like the one used by
 debian-archive-keyring), a private keyserver,
 [https://github.com/firstlookmedia/gpgsync gpgsync],
 [https://monkeysphere.info/ monkeysphere], or a flock of unicorn. ;)

--

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/29671#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs