Delivery-Date: Sat, 28 Feb 2015 17:28:36 -0500
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
	T_RP_MATCHES_RCVD,URIBL_BLOCKED autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id C97F41E0B15
	for <archiver@seul.org>; Sat, 28 Feb 2015 17:28:33 -0500 (EST)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id D85E933F61;
	Sat, 28 Feb 2015 22:28:29 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id A1ED933EB2
 for <tor-talk@lists.torproject.org>; Sat, 28 Feb 2015 22:28:26 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id oEnUBWfM7OJh for <tor-talk@lists.torproject.org>;
 Sat, 28 Feb 2015 22:28:26 +0000 (UTC)
Received: from mdev.river.com (yampa.river.com [206.168.112.68])
 by eugeni.torproject.org (Postfix) with ESMTP id 7CAEA33D8D
 for <tor-talk@lists.torproject.org>; Sat, 28 Feb 2015 22:28:26 +0000 (UTC)
X-Greylist: delayed 568 seconds by postgrey-1.34 at eugeni;
 Sat, 28 Feb 2015 22:28:26 UTC
Received: from mancos.local (mdev.river.com [206.168.117.188])
 by mdev.river.com (Postfix) with ESMTP id DABAE26DB22
 for <tor-talk@lists.torproject.org>; Sat, 28 Feb 2015 15:18:55 -0700 (MST)
Message-ID: <54F23EE4.6020208@river.com>
Date: Sat, 28 Feb 2015 15:19:16 -0700
From: Richard Johnson <rdump@river.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9;
 rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: tor-talk@lists.torproject.org
References: <1424955764.2354591.232742237.2CF4B4C5@webmail.messagingengine.com>
In-Reply-To: <1424955764.2354591.232742237.2CF4B4C5@webmail.messagingengine.com>
Subject: [tor-talk] Tor Browser Developers (signing key) key signing request
 (Was "Re: Problems? Verifying signatures in Tor 4.0.4")
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

On 2015-02-26 06:02, andre76@fastmail.fm wrote:
> Is there anything that's wrong about the gpg verification performed on
> the version 4.0.4 as seen in the text below?
> It's quite different from previous Tor versions. No Erinn Clark.

We do have a chain from other Tor project personnel through Erinn Clark's key 
to a Tor Browser Developers (signing key) [1].  If you have physically 
verified their keys or Erinn's directly (or at least done a TOFU-like --lsign) 
in the past, you have a chain to the current Tor Browser Developers (signing key).

I think it would be great if the chain could be shortened.  Would more Tor 
project personnel be willing to confirm the Tor Browser Developers (signing 
key), and sign it directly?

Call it belt and suspenders with the web of trust alongside the published key 
info on the Tor site.


Richard

-------
[1]

$ gpg --list-sigs 0x93298290
pub   4096R/93298290 2014-12-15
uid                  Tor Browser Developers (signing key) 
<torbrowser@torproject.org>
sig          63FEE659 2015-01-13  Erinn Clark <erinn@torproject.org>
sig          4B7C3223 2014-12-15  Georg Koppen <gk@torproject.org>
sig 3        93298290 2014-12-15  Tor Browser Developers (signing key) 
<torbrowser@torproject.org>
sub   4096R/F65C2036 2014-12-15
sig          93298290 2014-12-15  Tor Browser Developers (signing key) 
<torbrowser@torproject.org>
sub   4096R/D40814E0 2014-12-15
sig          93298290 2014-12-15  Tor Browser Developers (signing key) 
<torbrowser@torproject.org>
sub   4096R/589839A3 2014-12-15
sig          93298290 2014-12-15  Tor Browser Developers (signing key) 
<torbrowser@torproject.org>


$ gpg --list-sigs 0x63fee659
pub   2048R/63FEE659 2003-10-16
uid                  Erinn Clark <erinn@torproject.org>
sig          31B0974B 2010-02-15  Andrew Lewman <andrew@lewman.is>
sig 3        94C09C7F 2010-08-25  Peter Palfrader
...
sig 3        63FEE659 2010-01-16  Erinn Clark <erinn@torproject.org>
sig          E012B42D 2010-07-19  Jacob Appelbaum <jacob@appelbaum.net>
sig          23291265 2010-07-19  Linus Nordberg <linus@nordberg.se>
sig          D21739E9 2010-03-22  Daniel Kahn Gillmor <dkg@fifthhorseman.net>
...
sig          A71A6915 2011-08-05  George Kadianakis <desnacked@riseup.net>
sig          28988BF5 2011-11-11  Roger Dingledine <arma@mit.edu>
sig          19F78451 2012-12-02  Roger Dingledine <arma@mit.edu>
sig          C11F6276 2013-03-19  David Fifield <david@bamsoftware.com>
...

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

