Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] secure download tool - doesn't exist?!?

Jonathan Wilkes jancsika at yahoo.com
Tue Jul 2 14:57:01 PDT 2013


On 07/02/2013 12:46 PM, Jonathan Wilkes wrote:
> On 07/02/2013 04:51 AM, intrigeri wrote:
>> Hi,
>>
>> adrelanos wrote (01 Jul 2013 18:03:01 GMT) :
>>> Goal:
>>> - big file downloads
>>> - at least as secure as TLS
>>> - at least as simple as a regular download using a browser
>>> - not using TLS itself (too expensive) for bulk download
>>> The problem: [...]
>> + verify that the signed file you've downloaded is actually the
>>    version you intended to download, and not an older, also properly
>>    signed one.
>>
>> See tools that take this into account:
>>    - Thandy (already mentioned by Moritz)
>>    - our design for incremental updates:
>>      https://tails.boum.org/todo/incremental_upgrades/
>>    - TUF:
>>      https://www.updateframework.com/
>
> Does Debian's "Valid-Until" field in the release files solve this 
> problem?

After getting some help on #debian-apt, I can at least say that the 
"Valid-Until"
field in the release file for Debian security updates is indeed intended 
to address
replay attacks.  The first two papers referenced at
https://www.updateframework.com/
were written before that field was added.

-Jonathan

>
> -Jonathan
>
>>
>> Other than this, our current take on it is, I believe, making it
>> easier to verify OpenPGP detached signatures. E.g. we're working to
>> make it work flawlessly on the GNOME desktop.
>>
>> Cheers,
>> -- 
>>    intrigeri
>>    | GnuPG key @ 
>> https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
>>    | OTR fingerprint @ 
>> https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
>> -- 
>> Too many emails? Unsubscribe, change to digest, or change password by 
>> emailing moderator at companys at stanford.edu or changing your settings 
>> at https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>
>>
>
> -- 
> Too many emails? Unsubscribe, change to digest, or change password by 
> emailing moderator at companys at stanford.edu or changing your settings 
> at https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
>




More information about the liberationtech mailing list