[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #5463 [BridgeDB]: BridgeDB must GPG-sign outgoing mails
#5463: BridgeDB must GPG-sign outgoing mails
----------------------+-----------------------------------------------------
Reporter: rransom | Owner:
Type: defect | Status: needs_information
Priority: critical | Milestone:
Component: BridgeDB | Version:
Keywords: | Parent:
Points: | Actualpoints:
----------------------+-----------------------------------------------------
Comment(by rransom):
Replying to [comment:3 aagbsn]:
> I wrote some (untested) code as starting point, using gpgpme (python-
gpgme)
>
>
https://gitweb.torproject.org/user/aagbsn/bridgedb.git/commit/c166119dec14584ad14dcf50b2a98ff9f719892a
>
> Now for some questions:
>
> Is it OK to use unprotected protected keyfile?
Using a GPG key with no passphrase is fine. (I assume the HTTPS
certificate has no passphrase either.)
> Is gpg clearsign fine here?
Yes.
> What sort of friendly and encouraging text do we want to include to
inspire users to actually verify messages?
This is the hard part -- I don't have that text written.
> And, if the instructions we link to are on www.tpo, and *.tpo is
blocked, what now?
The Tor Short User Manual is sent out by GetTor with every Tor package.
Perhaps GetTor should also be able to send a copy of TSUM only, or perhaps
BridgeDB should attach a copy of TSUM to its messages (or have an extra
command to ask for one).
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5463#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs