Project

General

Profile

Feature #10022

Have experts review our revocation mechanism of Tails signing key

Added by sajolida about 2 years ago. Updated about 2 months ago.

Status:
Confirmed
Priority:
Normal
Assignee:
Category:
Infrastructure
Target version:
Start date:
08/14/2015
Due date:
% Done:

0%

QA Check:
Feature Branch:
Type of work:
Communicate
Blueprint:
Easy:
Affected tool:

Description

This ticket is about sending https://tails.boum.org/doc/about/openpgp_keys/signing_key_revocation/ to a bunch of smart people and ask them to review and comment on it.

We mentioned dkg.

History

#1 Updated by sajolida about 2 years ago

  • Parent task set to #7700

#3 Updated by sajolida about 2 years ago

  • Subject changed from Have experts review our revocation mechanism to Have experts review our revocation mechanism of Tails signing key

#4 Updated by bertagaz about 2 years ago

  • Target version changed from Tails_1.6 to Tails_1.7

postponing

#5 Updated by sajolida about 2 years ago

  • Target version deleted (Tails_1.7)

Taking it easy.

#6 Updated by sajolida about 1 year ago

I'd wait until we distributed their shares to different people so we do some testing and refining of our introductory text beforehand.

#7 Updated by sajolida 11 months ago

Someone said it would be good to have a check-in mechanism to verify that people in the scheme are still reachable and have their share. You know, people change e-mail addresses, or stop checking some old accounts.

#8 Updated by intrigeri 9 months ago

emmapeel, what's your timeline on this one? FYI we're almost done setting up this mechanism.

#9 Updated by cypherpunks 9 months ago

Are you looking for review of the of the cryptography itself, or the threat model? Because Shamir's Secret Sharing provides information theoretic security, of course.

#10 Updated by intrigeri 9 months ago

Are you looking for review of the of the cryptography itself, or the threat model?

I doubt the biggest problems of this mechanism lie in the crypto being used, but IMO generally auditors should take developers' intuition with a grain of salt, and look for problems wherever they think they might find any :)

#11 Updated by sajolida 2 months ago

  • Description updated (diff)

#12 Updated by sajolida 2 months ago

The next step could be to suggest a list of smart people and ask for more on tails-project maybe...

#13 Updated by sajolida 2 months ago

  • Target version set to Hole in the Roof

#14 Updated by emmapeel 2 months ago

One person suggested it may be not robust enough to rely on only one mailing list...

#15 Updated by dkg 2 months ago

It would be good to know what kind of review you're looking for. just an e-mailed response that will never be published? some sort of public review, comparing it to other policies? suggestions for improvements in the form of bug reports? plaudits for media consumption?

all of these things are pretty different from each other, so just a generic "asking for review" might be improved with more details.

#16 Updated by sajolida 2 months ago

It would be good to know what kind of review you're looking for.

just an e-mailed response that will never be published?

That's possible.

some sort of public review

That's also possible but a less formal review works as well.

Sending a mail to tails-project@ would be in-between a very formal
review and an email that will never be published and work as well (maybe
that would be our preferred option in terms of cost-benefit for the
reviewers and the transparency of the process).

comparing it to other policies?

That would be super interesting though we didn't think of that so far.
Maybe pointers to other similar policies would be good as a start.

suggestions for improvements in the form of bug reports?

That would be more work for the reviewers and I don't think that's needed.

plaudits for media consumption?

Not really :)

The goal here is more to fix issues in the current document while
putting as little overhead on the reviewer's shoulders as possible.

#17 Updated by BitingBird about 2 months ago

emmapeel, do you still plan to do that?

Also available in: Atom PDF