Feature #8873

Decide which kind of verification would the ISO verification extension do

Added by sajolida 2015-02-05 21:17:18 . Updated 2015-03-10 09:26:25 .

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Installation
Target version:
Start date:
2015-02-05
Due date:
% Done:

0%

Feature Branch:
Type of work:
Discuss
Starter:
Affected tool:
ISO Verification Extension
Deliverable for:

Description

That could be:

- OpenPGP verification

- Checksum correlation against different websites
- Checksum against boum.org


Subtasks


Related issues

Blocks Tails - Feature #8855: Design data source for ISO verification extension Resolved 2015-02-04

History

#1 Updated by sajolida 2015-02-05 21:18:05

  • blocks Feature #8855: Design data source for ISO verification extension added

#2 Updated by sajolida 2015-02-05 21:18:48

  • blocked by Feature #8850: Investigate feasibility of OpenPGP signature verification in JavaScript added

#3 Updated by sajolida 2015-02-21 18:47:21

  • Blueprint set to https://tails.boum.org/blueprint/bootstrapping/extension

#4 Updated by sajolida 2015-02-21 18:57:40

  • Assignee deleted (sajolida)

I’m pretty much convinced that simple checksum verification is the way to go in such a context. See the security discussion on the blueprint: https://tails.boum.org/blueprint/bootstrapping/extension#verification

#5 Updated by sajolida 2015-03-10 09:25:52

  • blocks deleted (Feature #8850: Investigate feasibility of OpenPGP signature verification in JavaScript)

#6 Updated by sajolida 2015-03-10 09:26:25

  • Status changed from Confirmed to Resolved

From the discussion on tails-dev https://mailman.boum.org/pipermail/tails-dev/2015-March/008333.html, nobody argued strongly or provided good arguments to do something better than simple checksum verification. This could actually become quite strong once we get in the HPKP preload list of Firefox (Feature #9026) and monitor externally the content of the website (Feature #8650).