[tor-bugs] #14187 [Tor Browser]: use OpenPGP notations to sign the names of files to prevent file name tampering

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Mar 25 14:33:29 UTC 2015


#14187: use OpenPGP notations to sign the names of files to prevent file name
tampering
-----------------------------+----------------------
     Reporter:  proper       |      Owner:  tbb-team
         Type:  enhancement  |     Status:  new
     Priority:  normal       |  Milestone:
    Component:  Tor Browser  |    Version:
   Resolution:               |   Keywords:
Actual Points:               |  Parent ID:
       Points:               |
-----------------------------+----------------------

Comment (by proper):

 Replying to [comment:1 cypherpunks]:
 > Instead of writing {{{file at name="x"}}} one can incorporate name of file
 in namespace of OpenPGP notation itself as {{{filename at torproject.org}}}.

 I think it's best if OpenPGP notations follow existing conventions. For
 example, {{{issuer-fpr at notations.openpgp.fifthhorseman.net}}} is one of
 the more common ones. Notations [http://www.openpgp-notations.org/ might]
 even be standardized one day. Now, for file name there isn't a convention
 yet, but I think {{{filename at torproject.org}}} isn't a good idea, because
 it's difficult to parse with general purpose gpg verification tools. (Both
 keywords, filename and homepage are variable.) Ideally, this becomes a
 common convention and perhaps even one day gpg [or wrappers] start using
 it.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/14187#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list