[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #2340 [Tor bundles/installation]: GPG signatures do not authenticate filenames

To: undisclosed-recipients:;
Subject: Re: [tor-bugs] #2340 [Tor bundles/installation]: GPG signatures do not authenticate filenames
From: "Tor Bug Tracker & Wiki" <torproject-admin@xxxxxxxxxxxxxx>
Date: Fri, 21 Jan 2011 20:19:24 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 21 Jan 2011 15:19:35 -0500
In-reply-to: <047.439b6051328a1315ff4effbbf36c5165@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: Tor bugs reporting list for trac <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <047.439b6051328a1315ff4effbbf36c5165@xxxxxxxxxxxxxx>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx

#2340: GPG signatures do not authenticate filenames
--------------------------------------+-------------------------------------
 Reporter:  rransom                   |       Owner:  rransom     
     Type:  defect                    |      Status:  needs_review
 Priority:  critical                  |   Milestone:              
Component:  Tor bundles/installation  |     Version:              
 Keywords:                            |      Parent:              
--------------------------------------+-------------------------------------

Comment(by Sebastian):

 I think if we changed the way we do signatures we will just confuse most
 of those users that are already confused about signatures even more,
 without actually offering much better protection. For the careful gpg
 user, the date of the signature should be a good indication that something
 is wrong.

 That said, if we want to improve the situation, the script should probably
 add a date field, so that people can get suspicious when the date is off
 (note that they could already do that with the plain gpg signatures, but
 looking into many different places makes things just more complicated).

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/2340#comment:9>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Prev by Author: Re: [tor-bugs] #2340 [Tor bundles/installation]: GPG signatures do not authenticate filenames
Next by Author: Re: [tor-bugs] #2340 [Tor bundles/installation]: GPG signatures do not authenticate filenames
Previous by thread: Re: [tor-bugs] #2340 [Tor bundles/installation]: GPG signatures do not authenticate filenames
Next by thread: Re: [tor-bugs] #2340 [Tor bundles/installation]: GPG signatures do not authenticate filenames
Index(es):
- Author
- Thread