Please, pls, pls, consider to : declare/share your email-address and GPG/PGP FPR, and also declare/show/share full code of GPG pubkey, etc (with various form) in the DNS RR like "CERT PGP" then other users can know for sure, what is real and actual and approved key component by you. If users are using a full DNSSEC supported DNS-resolver and if you show a command-line command in docs/FAQ, how users can alternatively verify with greater accuracy by connecting directly with TorProject website and know what is the "correct" PGP/GPG fpr/key. DNSSEC authenticated data cannot be falsified, generally. I've been requesting to add those for sometime now. Various security related component should be added and shown/shared with public, so that different way exist for authenticating files, certificates, etc. It is as much (and even more) necessary as, declaring your site's SSL/TLS cert (pub) info via "TLSA" (DANE) DNS record, then DANE-ware apps can connect to actual site and can also indicate falsification(s). If you declare/share both TLSA, and various CERT PGP records, then "full" size code declaration in dns may not be necessary. But when multiple proxies are used in a connection, then full code declaration is better. TorProject.org domain-name is already DNSSEC signed, so now you need to add TLSA, and CERT PGP dns records.
-- Bright Star. bry 8 st ar a.@t. in ven ta ti d.o.t. or g: GPG-FPR:C70FD3D070EB5CADFC040FCB80F68A461F5923FA. bry 8 st ar a.@t. ya hoo d.o.t. c om: GPG-FPR:12B77F2C92BF25C838C64D9C8836DBA2576C10EC.
Cert(PKIX), PGP in DNS : https://tools.ietf.org/html/rfc4398 DANE:TLSA (DNSSEC) : https://tools.ietf.org/html/rfc6698 fpr = fingerprint.
Received from Erinn Clark, on 2013-09-01 2:36 PM:
Hello everyone,
I discovered that there is a key out there (CEE1590D) associated with my Tor email address that is NOT me. I don't know who generated it, but I can think of many nefarious or incompetent reasons why they might have done it.
This email is for two purposes:
- To inform you that this is NOT MY KEY. Do not under any circumstances trust
anything that may have ever been signed or encrypted with this key. I looked around and was unable to find anything, but nonetheless, it is out there and that is creepy.
- If anyone on any of these lists has encountered this key anywhere -- the
main fear being that it has been used to fraudulently sign packages of some kind -- can you please let me/us know ASAP?
Tor Project official signatures are listed here: https://www.torproject.org/docs/signing-keys.html.en
Consider that the canonical source for all signatures! Be suspicious of anything not listed there and let us know if you ever find anything.
Thanks, The Real Erinn
tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev