[tor-bugs] #7605 [Company]: get the deb.torproject.org-keyring package into Debian

Tor Bug Tracker & Wiki blackhole at torproject.org
Sat Dec 1 17:43:08 UTC 2012


#7605: get the deb.torproject.org-keyring package into Debian
---------------------+------------------------------------------------------
 Reporter:  proper   |          Owner:     
     Type:  defect   |         Status:  new
 Priority:  normal   |      Milestone:     
Component:  Company  |        Version:     
 Keywords:           |         Parent:     
   Points:           |   Actualpoints:     
---------------------+------------------------------------------------------
 For first time torproject.org visitors with no knowledge about gpg and/or
 no trust path to The Tor Project it's difficult to verify the Tor package
 signing key.

 The advice to download the Tor package signing key from the keyservers
 with a fingerprint posted from torproject.org is flawed. The first time
 visitor of torproject.org is already victim of a mitm this won't help. It
 would only help if the first time visitor won't get mitm'd at his first
 visit. Only further downloads would be protected.

 For this reason it's not best to distribiute the Tor signing key /
 fingerprint through torproject.org.

 Suggestion:
 1. Get the deb.torproject.org-keyring into Debian. If you can get it into
 the Debian keyring - even better.

 2. After 1. is done get Tor package signing key shipped by default with
 Debian.

 This would eliminate and ease at least one step from the complicated (from
 user perspective) steps of gpg verification.

 Getting it into Debian is strategic. Many derivatives based on Debian such
 as Ubuntu will include it as well.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/7605>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list