[tbb-bugs] #30479 [Applications/Tor Browser]: Move away from using signed git tags to avoid rollback attacks?
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sat May 11 13:50:05 UTC 2019
#30479: Move away from using signed git tags to avoid rollback attacks?
--------------------------------------+--------------------------
Reporter: gk | Owner: tbb-team
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-rbm | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+--------------------------
Comment (by boklm):
Regarding expiration of keys (or sub-keys), I think whether we should
accept signatures from expired keys depends on the meaning of this
expiration:
* if the expiration means "after this date, my key will very likely be
compromised, so you should not trust anything signed by it anymore", then
we should reject all signatures from expired keys.
* if the expiration means "after this date I will use a new key, so
anything new will be signed with a new key, but this key can still be used
to verify things signed before this date", then I think we should accept
signatures from expired keys, and also remove expired keys from our
keyring when we don't need to use anything signed before the expiration
date anymore.
I think the meaning of key expiration is usually the second one as it is
hard to predict when a key will be compromised, but it is possible to plan
when a key will be rotated, so I think it is fine to accept signatures
from expired keys when we expect the signature to be made before it
expired.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30479#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list