Feature #11027

Decide what to do with the old OpenPGP verification instructions

Added by sajolida 2016-01-29 18:34:22 . Updated 2016-05-15 12:19:27 .

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Installation
Target version:
Start date:
2016-01-29
Due date:
% Done:

0%

Feature Branch:
Type of work:
End-user documentation
Blueprint:

Starter:
Affected tool:
Installation Assistant
Deliverable for:

Description

I proposed to removed them in e66558a and 8deae6a but some people disagree. We should have a good discussion about this.


Subtasks


Related issues

Blocks Tails - Bug #10882: Update OpenPGP verifications to Tor Browser not opening applications Duplicate 2016-01-08

History

#1 Updated by sajolida 2016-02-03 13:58:51

  • related to Feature #10675: Write "Learn how to do that" for OpenPGP verification added

#2 Updated by sajolida 2016-02-03 14:00:00

Here is some preparation for the meeting tonight:

The installation assistant forces people to do a verification
equivalent to HTTPS (Browser extension or BitTorrent). With this in
mind, the OpenPGP verification only makes sense for people:

  • Using the web-of-trust. As we’re documenting in /install/debian/usb.
  • Relying on TOFU. Note that with automatic upgrades and in the future
    with full self upgrades (Feature #7499), a typical user won’t download and
    verify ISO images very often, or at least rely on this “first use”
    for quite a while. TOFU only improves the security of the subsequent
    uses.
  • Correlate downloads (/doc/get/trusting_tails_signing_key#index1h1).
    Which is not a proper cryptographic technique and is quite
    impractical for a first-time user.

So really, the OpenPGP verification mostly makes sense if using the
web-of-trust.

The current instructions focus on step-by-step instructions on how to
download the key and verify the ISO image against it; which doesn’t
provide strong authenticity (see /download.html#index3h1). They are
fairly complicated (see the user support load on the “Not enough
information to check the signature validity.” message) but were very
relevant before we could provide HTTPS-equivalent verification for
everybody. In them, trusting the Tails signing key was proposed as an
additional check to provide authenticity.

I think we should acknowledge that proper OpenPGP verification with
the web-of-trust is not accessible to first-time users who landed on
our website and want to give Tails a try. But are for people who
already know the basics of OpenPGP for encrypting their emails, for
example.

So as a general direction, I think we should focus on:

  • Documenting better the strategy behind the web-of-trust which is the
    game changer here.
  • Pushing bits of OpenPGP verification to Tails Installer.

And not so much on providing step-by-step instructions for OpenPGP
basics. Not that it’s a bad thing as such but more as a question of
priority. Also note as a general policy, documenting how to use
Gpg4Win, GPGTools, etc. could be considered out-of-scope in our
documentation.

Regarding what to do now, I propose we:

  • Rescue /download.html#index3h1 and make it clear in the intro that
    this is meant for people who already know the basic of OpenPGP and
    insist more on the web-of-trust verification.
  • I’m not sure it’s relevant to keep /doc/get/verify_*, further
    improve these pages (see Feature #7147), etc. Maybe helping upstream on the
    long-term would be better but we’ve not been very good at this in
    the past.
  • I’m not sure what to do with the download correlation technique
    right now, but I don’t mind leaving it around for some time.

#3 Updated by sajolida 2016-02-03 18:31:57

  • related to Bug #10882: Update OpenPGP verifications to Tor Browser not opening applications added

#4 Updated by sajolida 2016-02-05 14:14:44

  • related to deleted (Bug #10882: Update OpenPGP verifications to Tor Browser not opening applications)

#5 Updated by sajolida 2016-02-05 14:14:55

  • blocks Bug #10882: Update OpenPGP verifications to Tor Browser not opening applications added

#7 Updated by sajolida 2016-02-16 07:48:51

  • related to deleted (Feature #10675: Write "Learn how to do that" for OpenPGP verification)

#8 Updated by sajolida 2016-02-16 07:49:13

  • related to Feature #10675: Write "Learn how to do that" for OpenPGP verification added

#9 Updated by sajolida 2016-03-07 15:21:56

  • Target version deleted (Tails_2.2)

#10 Updated by sajolida 2016-03-12 14:45:16

People trying the download correlation get confused whenever our we update our key file on the website. So I think we should drop that technique now that we have the assistant.

#11 Updated by intrigeri 2016-03-12 16:21:03

> People trying the download correlation get confused whenever our we update our key file on the website.

Indeed, re-reading that piece of doc, pieces of it are totally buggy, in the sense they rely implicitly on the fact that key file doesn’t ever change.

> So I think we should drop that technique […].

I agree we should drop that technique: the vast majority of people who will do it right don’t need us to document it.

#12 Updated by sajolida 2016-04-01 10:33:54

  • blocks #8538 added

#13 Updated by sajolida 2016-04-29 10:51:58

  • Assignee changed from sajolida to anonym
  • QA Check set to Ready for QA

In Feature #9323, I’m merging and simplifying all the previous instructions and the doc about the OpenPGP WoT into /install/download/openpgp and removing the previous pages.

#14 Updated by sajolida 2016-04-29 10:59:04

  • related to deleted (Feature #10675: Write "Learn how to do that" for OpenPGP verification)

#15 Updated by sajolida 2016-05-03 12:15:55

  • Type of work changed from Discuss to End-user documentation

The decision was taken at the April meeting we’re now implementing.

#16 Updated by sajolida 2016-05-15 12:19:27

  • Status changed from Confirmed to Resolved
  • Assignee deleted (anonym)
  • Target version set to Tails_2.4
  • QA Check deleted (Ready for QA)

Done, see Feature #9323 and http://tails.boum.org/install/download/openpgp.