[tor-bugs] #13379 [Tor Browser]: Sign our MAR files
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Dec 18 18:58:25 UTC 2014
#13379: Sign our MAR files
-------------------------+-------------------------------------------------
Reporter: | Owner: mcs
mikeperry | Status: closed
Type: defect | Milestone:
Priority: major | Version:
Component: Tor | Keywords: tbb-security,
Browser | TorBrowserTeam201412,TorBrowserTeam201412R
Resolution: fixed | Parent ID:
Actual Points: |
Points: |
-------------------------+-------------------------------------------------
Changes (by gk):
* status: needs_review => closed
* resolution: => fixed
Comment:
Replying to [comment:55 mcs]:
> On the one hand, this is good because it means that old browsers can
verify the MAR signatures even after the signing key expires. On the
other hand, there does not seem to be a way to revoke a certificate.
>
> Do we need to fix this?
Definitely not in this ticket if at all. Having the certificate only valid
for a certain amount of time would not help much as the procedure in all
cases of key exchange (be it due to compromise, be it due to key expiry,
be it due to a lost private key, ...) would be the same: exchanging the
key in question with a new one, baking it into Tor Browser and signing the
MAR files from now on with the new key (too).
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13379#comment:56>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list