Opened 3 months ago

Closed 3 months ago

#31090 closed defect (duplicate)

stop using gpg keyservers / provide OpenPGP keys for download as files from torproject.org

Reported by: adrelanos Owned by:
Priority: Medium Milestone:
Component: Webpages Version:
Severity: Normal Keywords:
Cc: whonix-devel@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Quote (bold not added by me)

High-risk users should stop using the keyserver network immediately.

Originator of quote, again quoting directly:

Robert J. Hansen <rjh@…>. I maintain the GnuPG FAQ and unofficially hold the position of crisis communicator. This is not an official statement of the GnuPG project, but does come from someone with commit access to the GnuPG git repo.

See also:
https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html

Other reasons:

  • Apart from this, keyservers have been unreliable for a long time now. This alone is a reason for at least providing an optional download of public keys.
  • While https://support.torproject.org/tbb/how-to-verify-signature/ can be viewed in Tor Browser, doing networking outside of Tor Browser (gpg --recv-keys) is non-trivial to do torified. Also for that reason it would be better if users could get both, the information how to verify and the gpg public key from the same source.

Child Tickets

Change History (1)

comment:1 Changed 3 months ago by ggus

Resolution: duplicate
Status: newclosed

See ticket #31168

Note: See TracTickets for help on using tickets.