On 07/02/2013 04:51 AM, intrigeri wrote:
Hi,
adrelanos wrote (01 Jul 2013 18:03:01 GMT) :
Goal:
- big file downloads
- at least as secure as TLS
- at least as simple as a regular download using a browser
- not using TLS itself (too expensive) for bulk download
The problem: [...]
+ verify that the signed file you've downloaded is actually the
version you intended to download, and not an older, also properly
signed one.
See tools that take this into account:
- Thandy (already mentioned by Moritz)
- our design for incremental updates:
https://tails.boum.org/todo/incremental_upgrades/
- TUF:
https://www.updateframework.com/
Does Debian's "Valid-Until" field in the release files solve this problem?
-Jonathan
Other than this, our current take on it is, I believe, making it
easier to verify OpenPGP detached signatures. E.g. we're working to
make it work flawlessly on the GNOME desktop.
Cheers,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
--
Too many emails? Unsubscribe, change to digest, or change password by emailing
moderator at compa...@stanford.edu or changing your settings at
https://mailman.stanford.edu/mailman/listinfo/liberationtech
--
Too many emails? Unsubscribe, change to digest, or change password by emailing
moderator at compa...@stanford.edu or changing your settings at
https://mailman.stanford.edu/mailman/listinfo/liberationtech