Commit 8d5eaee5 authored by Tails developers's avatar Tails developers
Browse files

Question OpenPGP verification in the extension

It's probably better to stick to HTTPS and checksum verification in the extension,
and try to automate OpenPGP verification through the Installer instead.
parent 8eb3a6de
......@@ -78,11 +78,19 @@ Other desirable features
- Be able to use that extension to verify other ISO images, testing images,
older ISO images, etc. In that case the user would be warned about the
deprectated or experimental status of the ISO image.
- Be able to use that extension to check the GPG signature. On top of
verifying the checksum, this would provide TOFU authentication. Then, if the
user downloads a genuine app and a genuine key on first use, then she will
be protected from a later compromision of the HTTPS certificate of
tails.boum.org.
Open questions
==============
- Do we want to use that extension to also check the GPG signature?
- On top of verifying the checksum, this would provide TOFU
authentication. Then, if the user downloads a genuine app and a
genuine key on first use, then she will be protected from a later
compromission of the HTTPS certificate of tails.boum.org.
- On the other hand, it might be easier and make more sense to push
the OpenPGP verification to Tails Installer, when run in Debian
for example. As we would have easier access to `gpg`, we could
reuse the Debian keyring, etc.
Technical insight
=================
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment