Author: intrigeri Date: To: The Tails public development discussion list Subject: Re: [Tails-dev] [RFC] Dropping requirement for OpenPGP
communication with HTTP mirror operators?
Hi,
intrigeri wrote (14 Mar 2016 15:41:50 GMT) : > sajolida wrote (14 Mar 2016 15:21:21 GMT) :
>> intrigeri:
>>> sajolida wrote (11 Mar 2016 16:40:08 GMT) :
>>> So, dropping the requirement for mirror operators to maintain an
>>> OpenPGP key we can see as valid would not imply any regression,
>>> compared to the current state of things.
>>>
>>> Rather, if we wanted to have "We can authenticate requests sent to us
>>> by mirror operators", we would have to do extra work we're not
>>> doing currently.
>>>
>>> ⇒ If anyone feels like we should really do that, then at this point
>>> they'd better be ready to contribute some time to help with it (in
>>> practice our mirrors team went from 2 active members to 1 in the last
>>> 6-12 months or so). But given we've not had these nice security
>>> properties for months, and our world didn't end anyway, maybe it's no
>>> big deal and we can just forget about it? >> Sure. > I'll wait a bit more, to let a chance to people who think differently
> (those who have already expressed it, as well as those who haven't
> yet) to digest the updates we provided, and check how they feel now.
Six weeks later, with no updated argument raised against dropping this
requirement, I am going to consider it's now a decision, and will
update our doc for mirror operators accordingly. For the avoidance of
doubt: I don't intend to drop any reference to OpenPGP communication
from said documentation, I'll just make it optional.