[tbb-bugs] #14187 [Tor Browser]: use OpenPGP notations to sign the names of files to prevent file name tampering
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Mar 25 14:33:29 UTC 2015
#14187: use OpenPGP notations to sign the names of files to prevent file name
tampering
-----------------------------+----------------------
Reporter: proper | Owner: tbb-team
Type: enhancement | Status: new
Priority: normal | Milestone:
Component: Tor Browser | Version:
Resolution: | Keywords:
Actual Points: | Parent ID:
Points: |
-----------------------------+----------------------
Comment (by proper):
Replying to [comment:1 cypherpunks]:
> Instead of writing {{{file at name="x"}}} one can incorporate name of file
in namespace of OpenPGP notation itself as {{{filename at torproject.org}}}.
I think it's best if OpenPGP notations follow existing conventions. For
example, {{{issuer-fpr at notations.openpgp.fifthhorseman.net}}} is one of
the more common ones. Notations [http://www.openpgp-notations.org/ might]
even be standardized one day. Now, for file name there isn't a convention
yet, but I think {{{filename at torproject.org}}} isn't a good idea, because
it's difficult to parse with general purpose gpg verification tools. (Both
keywords, filename and homepage are variable.) Ideally, this becomes a
common convention and perhaps even one day gpg [or wrappers] start using
it.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/14187#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list