Opened 13 months ago

Last modified 7 weeks ago

#22637 accepted defect

Find a more maintainable approach for the signing-keys page

Reported by: arma Owned by: hiro
Priority: Medium Milestone: website redesign
Component: Webpages/Website Version:
Severity: Normal Keywords: website-content, website-bug
Cc: gk, boklm Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Right now we have this page:
https://www.torproject.org/docs/signing-keys
which is supposed to provide an official set of keys that have signed various Tor packages in the past.

We pointed to it from
https://www.torproject.org/docs/verifying-signatures
among other places.

But people keep generating new subkeys, so the text on that page goes out of date after a month or so.

We should come up with a better way to distribute these keys, in a way that provides good enough authenticity while being easy to automate.

Maybe that's a script that gets run every so often to generate the page automatically? Maybe that's creating a gpg keyring with the right keys on it, and getting rid of the webpage?

We can think of this as part of the grand website redo, but also we can think of it as a bitesized improvement that needs to be made and can be independent of the grand website redo.

Child Tickets

Change History (6)

comment:1 Changed 13 months ago by cypherpunks

I would like to see key revocations explained.

For example, 05FA 4425 3F6C 19A8 B7F5 18D4 2D00 0988 5898 39A3, revoked subkey of Tor Browser Developers.

comment:2 Changed 12 months ago by hiro

Keywords: website-content website-bug added
Owner: set to hiro
Status: newaccepted

comment:3 Changed 4 months ago by hiro

Milestone: website redesign

comment:4 Changed 7 weeks ago by gk

Cc: gk added

comment:5 Changed 7 weeks ago by boklm

Cc: boklm added

Maybe that's a script that gets run every so often to generate the page automatically? Maybe that's creating a gpg keyring with the right keys on it, and getting rid of the webpage?

Providing a gpg keyring file, and generating the page automatically from this keyring sounds like a good idea. The keyring makes it easy to import the keys, and the page helps to verify them.

comment:6 in reply to:  1 Changed 7 weeks ago by boklm

Replying to cypherpunks:

I would like to see key revocations explained.

For example, 05FA 4425 3F6C 19A8 B7F5 18D4 2D00 0988 5898 39A3, revoked subkey of Tor Browser Developers.

You can find the corresponding bug number in the git log: #16898. We usually use sub-keys for around 2 years before switching to a new one. I think this one had to be revoked because it didn't have an expiration date.

Note: See TracTickets for help on using tickets.