Have experts review our revocation mechanism of Tails signing key
This ticket is about sending https://tails.boum.org/doc/about/openpgp_keys/signing_key_revocation/ to a bunch of smart people and ask them to review and comment on it.
We mentioned dkg.
#10 Updated by intrigeri about 1 year ago
Are you looking for review of the of the cryptography itself, or the threat model?
I doubt the biggest problems of this mechanism lie in the crypto being used, but IMO generally auditors should take developers' intuition with a grain of salt, and look for problems wherever they think they might find any :)
It would be good to know what kind of review you're looking for. just an e-mailed response that will never be published? some sort of public review, comparing it to other policies? suggestions for improvements in the form of bug reports? plaudits for media consumption?
all of these things are pretty different from each other, so just a generic "asking for review" might be improved with more details.
It would be good to know what kind of review you're looking for.
just an e-mailed response that will never be published?
some sort of public review
That's also possible but a less formal review works as well.
Sending a mail to tails-project@ would be in-between a very formal
review and an email that will never be published and work as well (maybe
that would be our preferred option in terms of cost-benefit for the
reviewers and the transparency of the process).
comparing it to other policies?
That would be super interesting though we didn't think of that so far.
Maybe pointers to other similar policies would be good as a start.
suggestions for improvements in the form of bug reports?
That would be more work for the reviewers and I don't think that's needed.
plaudits for media consumption?
Not really :)
The goal here is more to fix issues in the current document while
putting as little overhead on the reviewer's shoulders as possible.