[tor-bugs] #13407 [Tor bundles/installation]: Transition smoothly away from Erinn's signing key for the coming releases

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Oct 15 13:23:28 UTC 2014


#13407: Transition smoothly away from Erinn's signing key for the coming releases
------------------------------------------+--------------------------------
     Reporter:  gk                        |      Owner:  erinn
         Type:  task                      |     Status:  new
     Priority:  normal                    |  Milestone:
    Component:  Tor bundles/installation  |    Version:
   Resolution:                            |   Keywords:  security,
Actual Points:                            |  usability
       Points:                            |  Parent ID:
------------------------------------------+--------------------------------

Comment (by lunar):

 Replying to [comment:3 gk]:
 > Replying to [comment:1 lunar]:
 > > I'm strongly in favor of creating a role key and continue to sign
 files individually.
 >
 > 1. How should we handle that role key in a sane way given how
 distributed we are?

  * Define a set of trusted people.
  * Have a computer hardened as possible to do key manipulation with the
 master key. Hardened X60 + Tails + air gap?
  * After the master key has been generated, use
 [https://packages.debian.org/libgfshare gfshare] to split it so that a
 subset of the trusted people will be needed to ever reconstitute the
 master key again.
  * Use the master key to create subkeys that will go on smartards. Have
 some people in the Tor Browser team carry these smartcards. Maybe 2 or 3
 smartcards not in the same part of the world. Optionally other people in
 the team could carry revocation certificates for these subkeys.
  * Every year, have enough trusted people meet to be able to rotate the
 subkeys.

 > 2. What are the blockers you see for giving all users the full benefits
 of reproducible builds?

 I would rather postpone that for another time. Right now there's a hell
 lot of documentation out there that assumes that files are signed
 individually. I'm interested in finding the best ways to continue doing
 so.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13407#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list