[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #30479 [Applications/Tor Browser]: Move away from using signed git tags to avoid rollback attacks?
#30479: Move away from using signed git tags to avoid rollback attacks?
--------------------------------------+--------------------------
Reporter: gk | Owner: tbb-team
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-rbm | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+--------------------------
Comment (by boklm):
Regarding expiration of keys (or sub-keys), I think whether we should
accept signatures from expired keys depends on the meaning of this
expiration:
* if the expiration means "after this date, my key will very likely be
compromised, so you should not trust anything signed by it anymore", then
we should reject all signatures from expired keys.
* if the expiration means "after this date I will use a new key, so
anything new will be signed with a new key, but this key can still be used
to verify things signed before this date", then I think we should accept
signatures from expired keys, and also remove expired keys from our
keyring when we don't need to use anything signed before the expiration
date anymore.
I think the meaning of key expiration is usually the second one as it is
hard to predict when a key will be compromised, but it is possible to plan
when a key will be rotated, so I think it is fine to accept signatures
from expired keys when we expect the signature to be made before it
expired.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30479#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs